ad4f1952b60f4356c3ed6ccb08cedc704981e2ab3ec8592cefea7c77210dad14

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
Size

5.5MB
MD5

f5489b0f366607ced405548068fc90ab
SHA1

ad76cf6d4163b43fed09f00474db7bec5a9919f4
SHA256

ad4f1952b60f4356c3ed6ccb08cedc704981e2ab3ec8592cefea7c77210dad14
SHA512

c1ffa8473341cfc031412838f80dd8d8d1577240858c8a172d607084320312a180982c3cdd638d4e08f861e0b59d3ec7e40c1070457d0149f4a71f14e39b3525
SSDEEP

49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf6:2AI5pAdVJn9tbnR1VgBVmS8t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2300	alg.exe
4936	DiagnosticsHub.StandardCollector.Service.exe
5100	fxssvc.exe
4056	elevation_service.exe
2876	elevation_service.exe
2232	maintenanceservice.exe
4968	msdtc.exe
4104	OSE.EXE
1656	PerceptionSimulationService.exe
2564	perfhost.exe
2040	locator.exe
1648	SensorDataService.exe
864	snmptrap.exe
2600	spectrum.exe
4432	ssh-agent.exe
4408	TieringEngineService.exe
3092	AgentService.exe
1968	vds.exe
1628	vssvc.exe
116	wbengine.exe
3496	WmiApSrv.exe
452	SearchIndexer.exe
5144	chrmstp.exe
5284	chrmstp.exe
5584	chrmstp.exe
5644	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exealg.exemsdtc.exe2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8fc11d0fc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000007cc50ebadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015291459ebadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dea9d759ebadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608b1659ebadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009191b74febadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023d1de59ebadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610365098196149"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000323b4450ebadda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
4640 chrome.exe
4640 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
4640	chrome.exe
4640	chrome.exe

pid	process
668
668

pid	process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4352	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
Token: SeTakeOwnershipPrivilege	1460	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
Token: SeAuditPrivilege	5100	fxssvc.exe
Token: SeRestorePrivilege	4408	TieringEngineService.exe
Token: SeManageVolumePrivilege	4408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3092	AgentService.exe
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: 33	452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
5584 chrmstp.exe

pid	process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
5584	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exechrome.exe

description	pid	process	target process
PID 4352 wrote to memory of 1460	4352	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
PID 4352 wrote to memory of 1460	4352	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
PID 4352 wrote to memory of 3512	4352	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe	chrome.exe
PID 4352 wrote to memory of 3512	4352	2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe	chrome.exe
PID 3512 wrote to memory of 4528	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 4528	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1856	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2812	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2812	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2292	3512	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5489b0f366607ced405548068fc90ab_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd61f7ab58,0x7ffd61f7ab68,0x7ffd61f7ab78
3⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:2
3⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:1
3⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:1
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:1
3⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:6112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5284

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5584

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:8
3⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 --field-trial-handle=1940,i,661228084784529840,17055118338290769588,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4700

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a65e9094505fa695066c9691cdf5a396

SHA1
fa76e2222b2659caeec00161b8a85a8d57e4da2e

SHA256
3368e958bc507783b2b59c3c52ad5e471f66567cd73f4cc026e12148bc322df4

SHA512
814eb386eb5138f19cd2beb9e98ecfa4a44232623e72eee7a5b6d07a73980312e4fa7dae0cb4223b8df4e57e7bf2d5795503dcbb6b1bd9538e76cf85b7ae06ee

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
85e2b77edcb6ffcd5b9cbcfcd101753a

SHA1
b6cbe045b8e3df88d69961ab5d572208df373db8

SHA256
fcc24f15a5e80edc57b9e84e27b3de80834f0c3b8f602be973e6c52649f092a7

SHA512
5f513cfdc13b0b1cb9a66140f586598ae7c3eb8bf0ca36d42219f0cc80bb907f081be92be0b67303858ffc0a605f703e626e389cf3fc40d90aab987abc78cb1a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
1433de769f9cbb03085b3a41c674bfe4

SHA1
cfd67a3440ba85b540a5ffeb54079cfb5ea3a4f4

SHA256
d27d4b86737e48669f1771b76ec73717a84c4fe09be2e0a8eb56d2973cacc81c

SHA512
d2d6f5b5abafcb3c02c4886db976e5165d8fc17ebb6e9f2126219a507c50a2f6051ed167421508f70e4ede7397d29609f1b82647bb64122d22324fa860e49cce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
57671ed09f6b472214d3883ad827b4e8

SHA1
9330ba63920a51188fd2a23cd8c2eb9edbee9318

SHA256
28f9349ee95e412043fc0b9e11df9fd5a6192babdb67daf404c3fd15a6bccb9d

SHA512
c298bc08ced0d8741c90e0d93309e368812d3579b044259faa4cf1ac5b34467476522eafc978aa3b5ac413b730a48ffae6ef590ec540a76da885358686657b87

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
1c8ff6de55d71c6a5311c9d7da52dc78

SHA1
3b33b39fbf5fd7cad6f69f31a7018f10ac8b366a

SHA256
6b2c65d0a83becd9194870869f695cd8c684e80329eb5bea1665e1e4204b9189

SHA512
9b8e9aa86d281a83562479d2fccc2f771a8821d4a8cb33479f8ec9837075b47dc8fb0ef5d262300ed676af208940c39f39b28d8d84e9a07f5da153572791d3c6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\fe8a12bf-e016-4ba1-a197-9f6a24d1551e.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
32058a728e11d1e5d4ba88beec5335d6

SHA1
6302de2d5f915a8041f5a5521fc4b14fce1affd5

SHA256
50326baba155240b00624951408ab6dde505b047390c4c3515878db03416272d

SHA512
7ce53e65cb82a5080ec0c8f291e692edac68e5eb5e59baf72181232e6301ff92586ed9ace68cbc2f72b721a05b0d65df14dca42c6c065b5e63c95d3f6f45654d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
350B

MD5
10a01dbb511fc15dbc7a483de13a3f35

SHA1
b855582a06d25e4b9ee8e40d0f12ba4284b9aa20

SHA256
97ae3693e56e0d3d8b537bc077f7c2bab1b507509464012feb0f4ae3300047d9

SHA512
fe5647da12de670f0ad26c51b07b31202e3bb4676361a8ed11ab358ec45db9f13cd5fe9b9d7fb5e99cb14177812dab6a6a61d7c8819a8da20e96598eb870c8e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dcef256c91c83d185f058f4ee1c84856

SHA1
e252aa8037ad12080d2490937e151b9718f12edd

SHA256
db33e7dac5fa5d35b5a4af6fc9056a399c0a0f5ff51657c649513b6c39ee743f

SHA512
8bd3357669a9fe3ed2dac5845713ec31171e56beb22b365d939f112c59284b08984747f0bac30f393f403c8d2e4f4b7abb3a07046bb132c4dcd02358f5b8db8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5779b4.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
68f6f708a7b99c807240206efe64f9ff

SHA1
5899acb37fae1ff0c05ca6960f3be9c3b58297fb

SHA256
ce954c9f5c274845eb4576286337105f48f7e590cea43de88003e2e1534487e6

SHA512
122b187702f6a75836964075be59c8936da5a4c905d15de4087a4e5d97ac86b69b47c840314207e527525d05082162c1ffe40753be34b3ac68a829e0ab5bb14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
26aa37762b1ad114a14f026c492eddd7

SHA1
cb038981ab3e6533a1e549fd0d4c51ec59bbb5aa

SHA256
b00ed6ebac9fdf63f13ebe273fc8e5ecdcca25282312cb3601440f3d8eaf4033

SHA512
6e15d244c2549dffb2aa93a18c355fb954064a3982761f001d32e2f5ef6ec4714e319d182905993984d41b73349ad1a26145623892cdcdcc2482103b61528963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
7a9cc371875871cf4a9aae685f67fb23

SHA1
9f872c9497393d6215e2f2cfb181645d1092d190

SHA256
06b91cedd3e98c828a83d6fed2fee2964ee375c040f79fbafa22b017b5b8b8b2

SHA512
8dec8c9fc75d1b23a28278665f0133f879677dfd3946d9d2111da9fcb5d732ab4ce85a4d2967e128bd0986e7510db015766107e4c6716b8c7854194af2fbe132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
70a5c6aa2a0e263eea80b3cde36a6ac3

SHA1
ee1f381003a59812069ae38caf514f23e02653a8

SHA256
8e29d92568142f16838d45663cbfacc15f0e70b752fd987e770eeac22e2210e6

SHA512
9b0f4c7591ece25cef372cc5ddaa68c1c249f8ad23c3da0900434463b69de7f57eb6f1aa32c805346d1e11ce09866bf2b00ca1dbd7d4ef050d4ef9f4bd525bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
8485bc474d21e7a4348a9828352f7c06

SHA1
abc0d87ffdc8edf9e18df2f7aac20222d28c44bf

SHA256
f7107171de07c1030154715072e6e5a1774d74c96f07f075feec87e140f857e1

SHA512
321a870a43f69dd97c7976d1f84b32eb2ff4296eda660a74277b6d1e161c49dcbf124bb753ce83442fc16a77408810c5d10c3f286833b184731255c8ef3ad577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
571cb27102a7905ba619f4b3055c047c

SHA1
3ecff65e476d3fd29317b13b6abbdb6c911ad034

SHA256
1b581f9f5a1449fd6af98696560a30066543a66a0edd8d380188e224390e903d

SHA512
30a44979dabdc3e72bb8c7b7cbdd5483174f2f32377e21d4c79c337e31ac81194fc8f68125d2561ccbe0f10d0c3ee387eca6bba542983d1b72a305f2d44f6c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ef13.TMP
Filesize
88KB

MD5
0868c382d71834e41304f911fb82db15

SHA1
38437df454b3a7d39be19f4d35c473956f4d87af

SHA256
96ec57ce7055277c96e5ff36595db4dc2978e9944a1b88785ca19480682e58ca

SHA512
c2cf774c9a536134ad6710fa009dbc5ab7a9ff1f92606dbdc0102bf2cfdf5707be38a26201abd2047daec4a644db23e948d8f715d9690afb26a55dbb3cf4274d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
0facf132ae4f1a895449b6857ded3f48

SHA1
f536198fefe68abe1be1aa91e33b6008ebb25e7d

SHA256
fed246a6a1387c7c98db5a63918fa508270e78d632fbb544de1d834defa6b3c3

SHA512
41dfcebfcaa0bb8174b6b00b3250af29efed2e24e48186010ace3b1e76a8f7be7126fcc01226b36523978a6ce4ae608462f094e7c14193c8b65b4599f0d5cd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
cc5b5a5aa665a0388d527626182bb2f1

SHA1
a74c39465293ccbb0d2b81985450c95ccbcec816

SHA256
cf41f504c5c0f687aa2917820d0a9acbba5e25c796c52a5bfc589bae1b6220e3

SHA512
20f5f970bd32d6fbdc2729a3c67c65fa61fa6eeeee5cc16275d545769e6ef29a41ced5c82a18695e371b2fcc9075d9355e2c1702d934e5588d7bd5929150671d

Download Submit
C:\Users\Admin\AppData\Roaming\8fc11d0fc8648821.bin
Filesize
12KB

MD5
16226ee386e048acdb19330836bf64b1

SHA1
96b8a7c8ce8cfa3258e68d36fac51e8cb4a7851b

SHA256
c98aab5927cbfaf0f19e58e11d5f0f20db5f455d9ff7a216ab5d0b1e72437151

SHA512
015147188973920fe40034c42f52f0709fede97f8f2ff6d1362c8a44e6a7c24605f9ad5076028df81eeb5979264a1c5b59311a43f6c06da0bb3986696a55ed70

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
b728f752adb530281cb4a9a871acad7b

SHA1
56bbcfd1e9d59000bb9c49971b258d850aaab542

SHA256
18c1016945022c012d39c1998f2e8b7b4e63a50ea802ce9f202254de9f69b756

SHA512
0df6e0f41b4f4c85aafa2172dca79f5b1f44383d2ce55aa099107e0107b38743e357f68e0cc03b3b958e8cf493069a92c17e2b4f7c2777c6ed39d4566ec1dae1

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9cdab97c7503b4778e276b8d106b88de

SHA1
041712255366f587f262e8302a97951451310dc8

SHA256
a35a637ee3545104eded76e50f021bf2b1e662f89c4f983613594061cdb3f0d0

SHA512
d6240a79375a20a240cefdc0d80609ac34cfbcb97a0045e5df369e46a8e086081f5c72d5c4580a3932823ce9b481759f9688e37695cb8b68bbe4846f338496ad

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
82e6660eee213de40776a087f5343e6b

SHA1
806435a5df1adaf5d353b41195e900ab6b580823

SHA256
c31f2d44fecbcc063057bc61924e5fa8d6625d2dcf1d6161be41cfc459431ca0

SHA512
e36a31468f5ea83bcca4edc182defb2adfbf4474015743bd66311aecc91c83b9c1177571186a97e27a6286103bd116f22268d6877820ac2a5953750ab3bda1ee

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
0450b1712eadcf2aeeeb39cd2d219bf6

SHA1
a934b25082fa28aa9f1ea17678408c74491aa7b7

SHA256
2345f0cc092a703b4b9ec1ae85b823e6b90c65adaff7148ce1c0a8e1a037a3f3

SHA512
ef1e35e6eedf8437e783806f4269cfeb590df3531c9bea37b286f1dcf75d6cdd03aa4d63cee18a17a8e01e4831af5bc5336db3efaeba0ba906a37683c20ed980

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
a9524786506a62eb80f870e59514db2e

SHA1
ec6abe41000b6f55c64c3fe1f6ceaed784ac786a

SHA256
85d4c894bf6eb565827816dcbd724703aebc4ed81586b6d796007d46d5fd0515

SHA512
eae2189ab3f3bf0cffb262cc2776796c1b7b8f27f5da2b1cf25aade68647a1f5557f44efb3f140adf9f4bfe2fcc7fb890a61056111febab3265565f2cd4c04ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
398c65712e6e339fb78883f238ef0e49

SHA1
7b6d944aa1c2812802860565b5db489146a4d219

SHA256
240a6711880e4c2e1e986a00ff94574f8428baa6e7d60fb7d309679ce3b38fe5

SHA512
c13600e6f31393e750b9845455fdfbec32de99b5ed312e9399488a7b2d7540617ee17505127da49d54ab375b58c0009759adc53e6759aec0f5b4b676934d8d15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
f7ea8215aa2b5bbe7bfd69a6adc44f69

SHA1
11bcc54bfbe0eea83f44c77a224ef4c2f1b27259

SHA256
9d54c9e90fc228bb93848626362352141323a40346c6d0191d7474b496731fb5

SHA512
af7b854ee8d889d1723c2876dfed0de35e8f0c0e4b08f9dc4c461111bf09ade821b9a09bdfa20afa1653ab6b5c53cae35823f095b489d31476057e3b60d6ddf3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
257e9211f3ae7d4af1f5c6f48e2e71bb

SHA1
f2aa44f06c9f39c4d45ab147ff7c0569825d6135

SHA256
907ef119cdbb588bbb617528793ab938292f625e784f6bebb4e40cf23a37f7cb

SHA512
b920f7f36a0528d678ae794ea6f8cd2c6447655ef6cdc2bfae2b4fcea95bfad5d3e8f458f988df586e9496e415c4346212bfcf831c580a28717586464af205a5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
02759df8f398b740bdeda8496a94f899

SHA1
b38a30385c71015760b77a6f1d393920bcbe5e23

SHA256
0f1e32096138ff2c1fdd7e6cb7bc1a10de06d5a9217f9904519d94212e17c5f9

SHA512
ee1e9167083a2b61d09ee6957fc111788bab708da1ddf19f89bb185734acdbf96921cc6be54f635425a86735c69d9992f54f67eac136a898f29ee8e2180fd704

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b19926f4fa9dfc903cfd6abb33ee7f9b

SHA1
4d3c2c0b76db5b83b591f70332e36d921afbd3cd

SHA256
cebc4dd1dc5f9df8139239843b37f1fabece7ec7356e6f281d8eb811d69fcf77

SHA512
9bca30a34f26d8b86b947e90b3f7c35dc71a8007df5acc9882f65ed37916115224f8a3c8749a8fcdd8c1f89fabe2a4db57a1d2e0ec3c4e15c70b20692fda48ab

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
ce52f2aeaea489c7dab04fba8d498d32

SHA1
a4543ddc66e251fabc065b349d2a395dfe66b07e

SHA256
8e73f2ed72336f87cae1d72176b7eecb7dfa0e2f7e770dc5511f36b1e893d518

SHA512
7424f8d39b9ef8c9e52d0696b16ed72df8b6faea93a5ae2f6b2bd29846a10ade90d580ac448f9c18eca6c477b6251154f555e333550a59085d1c3f426af3514d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d49a0dfc1425aed98fe7d6ddeb3fe818

SHA1
fabad7759d119faeaf4325661020a7c10f507c16

SHA256
62395b6542db1b08ee2f3641d04a5f0ea9740e1566b54b6fbb5870bc81db3792

SHA512
f35944b7f70f3caec799adeda963ce2ea4ac87b44e3617d52ae2aaa6f585bd60ab09f2d0bff7c3058a12170fce5fe6e253ab4c5a01b714fd503506ac0eee6878

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
456dd27f8591775dd6cbe387602ad03e

SHA1
b4c927a12c09299355ffbedc3efca4df151c32e3

SHA256
5cb5b1c71884c2047fae5dab01ae794f5bfb06bec9b3223632ebfeb890d5d960

SHA512
cdf4f355d300255069e3afab3df42806f7009cf5d684847024c1a2eaed3a3e0ce8765b78ec63d81a510c76f67989878b31e44321dd4761d842c3ce4fd7c9c0ae

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
707aa57e212cfad85f58d0b6b56080a9

SHA1
79f7ff6718cdabe5695c2709550fc038b681c14d

SHA256
36b9ca02b55f442df0fb044fcfcb952fb5605db7733b18a785641b014ec0d373

SHA512
2d1bfda61a096e9213957983e9dbd9049c622010fd67a818721c2c872ff9957857ce839ec01ed43c52a1814fd339af87f789055976d4d1be46dc2c56bd197af9

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
63c5ffe5db69a66c2e9189b1654ac210

SHA1
ca852331fdee51db83acdfa9d1053b07b30c815f

SHA256
d967122a5213bd3547eb4ae8126c9cabcb41a00d086b0b50546b307f98e160a3

SHA512
eab2a148cdb26b0134d2f16ec72199d5956d5c309afd343585df44f142e407b6ee32c436857592899a404edca6fb64bab774a304cd4f4cde3a1f6b6623ddb513

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8e50f8aca5cd6af57ddd46911a4c0e80

SHA1
77ed05c418c5318129adf9a4bddd2ddf08ae25a8

SHA256
40357d52ccdf46781776e64e4d7622b45b9b959fac24c5d6eb885fd1a19970f3

SHA512
65a65c07ecf73bac2295566333b040b85f2868794f216d494eba81ff60a8d4d0cde8c8b7d2dcedcec5a45fc76f9f0c4187eb7c6c623bab71893f56c57b46bdae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
3802c88582f7bfbd85eda8c20506e206

SHA1
c02cdba3b19597b839d91875f12fe23fc728486f

SHA256
41f47acd40a7809ac0eda545709d61af6526efaaca43145efe906117a0646b4c

SHA512
526ab0afcd76516d81e1d38fc33b59edacdec71929a647e55d7958cf664204b8924319e1383ded7279a2cb94899bb77828158d75bdb83126960049d12df499d1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9677086c347067996f9fad94c2bae90f

SHA1
64577432530149f84620617e8932e17721749bfc

SHA256
699eafd1b0728b33803b5c1cd1af33d611a2209b6d47c4166c9f5050813c2c2e

SHA512
923b413c2ac53ef7b1861fc2b4baa5667e370d56f45386e964cea5560de5ee9d69f96b4a95e4ada0735ea10151dd9beae083fb95331c98d8a3eb4ce2602b5477

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
\??\pipe\crashpad_3512_CYFPFCIQXSUHKXAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/452-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/452-326-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/864-318-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1460-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/1460-583-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1460-20-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/1460-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1628-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1648-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1656-282-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1968-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2040-316-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2232-101-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2232-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2300-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2300-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2300-661-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2300-39-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2564-283-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2600-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2876-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2876-280-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2876-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2876-664-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3092-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3496-665-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3496-325-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4056-277-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4056-441-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4056-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4056-66-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4104-281-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4352-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4352-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4352-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4352-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4352-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4408-321-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4432-320-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4936-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4936-50-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4936-63-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4968-276-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5100-54-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5100-60-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5100-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5100-85-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5100-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5144-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5144-608-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5284-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5284-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5584-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5584-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5644-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5644-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download