e628c9f28abdbc85fa59e71ff5712e9a2c82173478c5764aa9bff9cce79adc38

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
Size

5.5MB
MD5

4b2deaf32e17f5066cc7fb96bf40b742
SHA1

45189a3b24652deea1eba2ab0caa2c6d62bc8955
SHA256

e628c9f28abdbc85fa59e71ff5712e9a2c82173478c5764aa9bff9cce79adc38
SHA512

042869fd9e30865f620444c0add3b251828270c11a2ca198640ab99694b8fa3d7a186f78c0ff3f0efc8749d3e3b2dd283e11057e96ac73b5db534839f1e4885b
SSDEEP

98304:bAI5pAdVJn9tbnR1VgBVmnU7dG1yfpVBlH:bAsCh7XYyUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2424	alg.exe
4648	DiagnosticsHub.StandardCollector.Service.exe
4644	fxssvc.exe
4632	elevation_service.exe
1620	elevation_service.exe
4944	maintenanceservice.exe
2484	msdtc.exe
3028	OSE.EXE
2892	PerceptionSimulationService.exe
4884	perfhost.exe
1972	locator.exe
1116	SensorDataService.exe
4036	snmptrap.exe
60	spectrum.exe
1424	ssh-agent.exe
2260	TieringEngineService.exe
4836	AgentService.exe
1244	vds.exe
3660	vssvc.exe
3220	wbengine.exe
324	WmiApSrv.exe
2724	SearchIndexer.exe
4548	chrmstp.exe
5652	chrmstp.exe
5440	chrmstp.exe
6224	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

Processes:

alg.exe2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8c387dbcc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043045bd7f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000463bb3d7f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020e801d8f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610427296178064"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a15974d8f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004314acd7f9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b8b83d7f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4580 chrome.exe
4580 chrome.exe
468 chrome.exe
468 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4580 chrome.exe
4580 chrome.exe
4580 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
4580	chrome.exe
4580	chrome.exe
468	chrome.exe
468	chrome.exe

pid	process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2180	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
Token: SeTakeOwnershipPrivilege	1628	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
Token: SeAuditPrivilege	4644	fxssvc.exe
Token: SeRestorePrivilege	2260	TieringEngineService.exe
Token: SeManageVolumePrivilege	2260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4836	AgentService.exe
Token: SeBackupPrivilege	3660	vssvc.exe
Token: SeRestorePrivilege	3660	vssvc.exe
Token: SeAuditPrivilege	3660	vssvc.exe
Token: SeBackupPrivilege	3220	wbengine.exe
Token: SeRestorePrivilege	3220	wbengine.exe
Token: SeSecurityPrivilege	3220	wbengine.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: 33	2724	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2724	SearchIndexer.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4580 chrome.exe
4580 chrome.exe
4580 chrome.exe
5440 chrmstp.exe

pid	process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
5440	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exechrome.exe

description	pid	process	target process
PID 2180 wrote to memory of 1628	2180	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
PID 2180 wrote to memory of 1628	2180	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
PID 2180 wrote to memory of 4580	2180	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe	chrome.exe
PID 2180 wrote to memory of 4580	2180	2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe	chrome.exe
PID 4580 wrote to memory of 4808	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 4808	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5168	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5188	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5188	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 5260	4580	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4b2deaf32e17f5066cc7fb96bf40b742_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd330ab58,0x7ffcd330ab68,0x7ffcd330ab78
3⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:2
3⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:1
3⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:1
3⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:1
3⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:5476

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:4548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:8
3⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2428 --field-trial-handle=1912,i,12308200420259709310,5778694744399420166,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1332

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2484

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:60

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1344

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6120

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
1⤵
PID:5496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
22e881297e97935cfd4654a7013fbdcf

SHA1
13485cbb7a8a15921da57392bf1d0895dd41dedc

SHA256
ec5f0113315ecdb3a0e365f780a921a208affe1fb3f92f877a2b65ebba7b6de8

SHA512
77cbb825f03b487ad75bba1fa240190504c0ce9d04d673866f56dadebc5b1a84dadc42bbeaa4bcfd92d1bf176df79cb9e743d67772883327554e711dfd0c179b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b89d4333416acc7a131e9be6fca7bbc3

SHA1
5d68775a5d2132d10400facb9bd32058aa6eb0ed

SHA256
98869fb35cd53068d593a00cc42b1ec832318cddfefa40cf25ad4c44e4034c7d

SHA512
c31a03bc40a99316d1ef9b23aff3b49a6a5818e18e2b9937c7941291f19ee8f856d3b62ffc24938b78ae35e5d614e7fcca745a5640bc9fcdff29db924778505c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
702b9e8f4de2ef4ae58c95554e851115

SHA1
3841cd5d4987440b6fc07930b2ff3358baac182d

SHA256
c9abf240fe496122d0e971e9cacb3616ecd64166cb3a94ba44e6aa2de2035275

SHA512
12ea3e74edd112f42aa281f30468a9a0caeed3fdeb61d514363cd3f161f7d6ea803128f7055470950d157bb89c69754973233d466bd73dbd1715329d273b50a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
451015b8e1e35b31f9b9ea229e9ea3ae

SHA1
bf15cd200ecb88c99a35cba7867f83bbab7cd448

SHA256
978a808b4e5f6c2bba5472eb197bedd9d391771d1d0566b970110297eb4f2b10

SHA512
3d3909c69d357556054fd747a1ffeb51bf28ce4915319baecd95c1bc208d75516085f4f55d24e76a416792a830f5297e329f14fd9e55179f8f0741570c687764

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a761ec69cd69da1ef0e888293cff7d0d

SHA1
bf363a598ccdf89dac21936b71e112523e2e61b0

SHA256
2b31f22467712aade3d355ab931346a5232f730547b8bc679dc486803b19febc

SHA512
5b2dacdf0d6f0acb24289716d387f8c7b5b5e7ba167230ccc38ead8aed006a3d9d1d67c7fc7da4bf42467e819289fca73cd8a49b3e4ee24ac1e51d58f6003d9b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\73ac9ebe-68dc-4be3-abe8-03405f4e63ce.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d8d4502266a38c66a0c89a8d0fa3c168

SHA1
d7ac6ec136da11d273cb0c6d0b5853b718191b68

SHA256
11e480ac074947e0a7a0789813af36b5444c96a71da7245678d3bb21d5752a35

SHA512
1af6f7d3037c8cda1f29c75f4fac6afaa410e3de937eb973ca386f8be8398b473fb56823f1f177f65fdabd0755886d62bfc8a08d5044fce13dad9643a84ba545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
e90adabf7620f123b1a9cdf53c1405f5

SHA1
33dee068cb25d0886b025dbfc4de60c9a80003c4

SHA256
358d80271975c587439d06ceee0ec5626476183e91f549aee773c9742faf4540

SHA512
343bab9a342d245d8aa68afd6098558a17544e1762e83ca37df65f2901a75c2f9cee39bd11ff1796ed4570b786fbb5604772209a6549bb427a4e844a3820b0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a825b1279e4c67cdba0b7b6154b9f20c

SHA1
84365254bb1488d93efcc2551d02ff31d09b02ee

SHA256
f78478281169c87467de8986293e3e701f8108002be3df8530eca231a958af92

SHA512
ff520188f47ddefc64cc2ef4a26908745ac1d92dd06167aa17fb3dfacfc6a8faa202323f2a55d05c064b687264b5c63fc6f1085ca1c7b619cff00f6a419942f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581b34.TMP
Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
3a1f253d7ad8cb288d7f86cfb25f81e8

SHA1
4f047712bba266eeedd18636aed5bcec82c0a3ec

SHA256
1ae0ffb3851ebbe6ed3e162aa3fb1af3743a57e83d0090058f4fbcceeb296fa5

SHA512
126308398c5bb6cdb0e1b625da64ed6f214f9c7787162ad6dfbf4f4e49bd05256f6e64b9482c72793655f1383061e546723f345f9b3024d5b8fd23445a3af9db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
0c84c3cec4773854ef596ec0fddb3b8a

SHA1
2617e696c0656fc6135b10c91c38c757c8266de1

SHA256
1836a20d615b82938500cd96348e4d8763d811597fe61a2fb26615ef7624aa77

SHA512
78dc5322bd9cddecdbec126f297d3019eba863d39d254989e389570f18a9892c1c00339b95576d56428e213a027e4933fdcc11dd730a164c433413d91fbe6040

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
145f38f49da6d51af7fe431ac5eb6fdd

SHA1
78d2dc44cc12289816a6e82500d02de01aa696da

SHA256
a3b4f0856d0dad2dd27352d39976b22c7cd0b9b391ccd804568e136cce6ea496

SHA512
c1c230fe357f917d0af3121d476a331ca8c4cc29f31ffe124863fc74cb7e62fa55dd7483f80b6a897b5edc0317728f9eac86fa708e0b0bb8ab0e0384b5928b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
988f74c8ad47fb201bed8466b8ee44f1

SHA1
a8508e9391e48a43ae7680c531d2a260cd2e7783

SHA256
1986f994baec6391b55cfab147f78d6375c9a662406a093281eec93c7cf1991a

SHA512
76f07cc07c50a2822cd16d432bb962c1c435fd615b10f4ba5a10e83882ded7f5b886e62233c40c5c071cd4cd33770da696ceb2aa5a5e7a17f4c3cc530dee6952

Download Submit
C:\Users\Admin\AppData\Roaming\8c387dbcc3a5208d.bin
Filesize
12KB

MD5
b3f4e88ba1d394a6ad05745fdaebe550

SHA1
7787f8c7121c26373495871f504eb08570a95c12

SHA256
62ef81efaece461a5aa1615b8a1cece4b2810dc7d37666b98ee0a4d346d2c062

SHA512
91537e6fa26fb5080ac768df89e9abef081fe2589d67493e07a27b74bf82c29168c978cdc7884bdd1be5e1ccd9cd1a2f0ff9be708c5e3ce055c9bcd2f9cf480e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
80a0f98dd85bac9e985ec530f1ab001a

SHA1
755338332a81dc879f17ba59d089580b1b262522

SHA256
0456ceabea18e5547175d7fee9cafdf5b0268ca3a52e2ce8a8df5095cd1c8b09

SHA512
21adcfb2b6663aa91c569dcdc7ddb25c213dd792aaa793ca324eb0a8d89cee0a45d27746b1e759b38a43d036abd52488888dfafdc6bea1acebc309a5084b4039

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d29293ef0de3f028fc9974b9b9c17ba1

SHA1
e6509d736b301d770f90f91592b1a1a87ffc3a90

SHA256
6869791a669987d8299e39cb7f86b1cccd5df2e378036ccec91f962273f1b554

SHA512
fae8e3a81d0185dcf67b78fcdce52afd5523ba7be1bc4d0125fe32a3fb4ba1b2d7bd4500e72ad7f3aadf65e4f3860462e7530ec9d33855dcf723a31bc04ae684

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
2da9ea2c1ba5561cb40ebc1392187462

SHA1
68aa6dc16814d7c5836622768c68fba69ff9df38

SHA256
1192e9cb160cec8db43f217df0cef45112e05aa76c07f1d3e207088a2aa8c67c

SHA512
92f766de84a2323511607d284503bac43e501b5ea721a1fab0177c8e8e2080dc435a92781907829b51964d0afbef9fabd1a68a1dc3aff946884275245a7b3858

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cb4f2ca862d615cea726d9c450870e6f

SHA1
26fcdba7e1db71724393b2b00ae46f94fdca479a

SHA256
0bc4112748027a59083abc991dfa4752dbb9de02f7291b8cf4431a8f228f70ab

SHA512
f8719a635a8ed67b6466fa88caae77d40f827f3c077f6cf670d44413ef75ae5d243ea7498418aabdca2f18c2ee62eabdb64b0de12f6873756d08d254ba512dec

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7e0bdac6be004662396d7e38cc5a86fc

SHA1
33abb51b48501f8a8ae0697f5f70709ff1e54aa1

SHA256
8585e08092af17fd25d60320d816721b1f7fbf32c869c2084296fc6bfe4b8eae

SHA512
41afb27e3e19e8cd833cf4a03b499c03e58c1f59f2b84c562a4287ddbcdb0357bfdd0137a916f71009b0d4b4e267acf85f655f0ac4c403468958e111ae0e291b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9ba44cf43de658b0bd740712cd44b3ff

SHA1
b861aba02b96f1f97d94384d03082581278e9da1

SHA256
e62b8c58aa6a534a0349f9975fc7dc78057cc09e4ed1264a90ba3f82d05ad48d

SHA512
9346b1039d4c7037b4b41731d451f24fa397284edfeb0e32407d21ada6c546be0fb674c9ade0693a0a2ab52f5d65fa2944dda7efe25406680ce8682882b470a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
3335d04d9b35827973ee55f6d9e8b31c

SHA1
8041e41b553927c14002b111d6135ce0cf50a831

SHA256
2d9cdb74ba63e98eab86372bac6b24ab2b9e28f2f3da69f78023e43d0966e79f

SHA512
286fb9c0626d4c6c83cc1f591f2fa1ea61fae858a30775a079ed5a31a340b2484c3f7ad130f0a6ac418882e63b87efac121a06edfcbd16a0f5c83d4ef400564f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
30fe81d4415ccbe69f6ea698c519ff61

SHA1
6c66ee3614070dbdaecd38be844629e1027ed5a3

SHA256
f070b0cec6a9f646829783e09a2c5c45dc90a3138d58f6ccf9e2a6ea7231422a

SHA512
8c2fa36a90459a7c8789766580672f62442a0f4719b9ce89cf6fb937c99e1368aa650dc8be8e6265f336963658e7643d33bc12f7b7d31b844d2e4cb02657e95b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bb351bc405c02bcbbbaa6c6b93ee750c

SHA1
fcd307ec198094694bf92cd46ddf863330d2d406

SHA256
f09e731bf95e2bc8cac2c85e4e1b4fb40d17d3ebfce612f810e01838f05033bf

SHA512
7dd93d761a83eb285b98a869377b5e220437261be0d57cdf6cef798ae2d84a629b6d6f6de824b96ee96afb5aac4bbc49bb454e30447bd004994fd21ec1190407

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c99dfb5e561d4f57b658e719c8634549

SHA1
56253da561d5b0fe4d06eab4d97c90b38f164eb6

SHA256
ca5fac2fb38681a909de015b564020de950c8fd1b49a67420c03df2827bd118a

SHA512
649f05845e4062dfa4abed1c7153cf37d676d198532e6312de9e376f889d1102e18bdc2b564ec0f19d87bafea4ff37e6eba894f71e509c608050060679ca9734

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
08ea4fd9981ad2d19e8057e70954266a

SHA1
edcdfb10a941bbd6cc80d1b2b3d1770fda52fb86

SHA256
0464cb426f9095e1338cdcd516ff80ee793ee8a3ec9aeeea47da47895c010e53

SHA512
019fbaa26344a5a78c9650313685f7d27ef8913156bab6884eb6ae569631ddbabec4851d048bac1d2b24e9daf01ee11be7cd42b32a586129e755fc01ded29e94

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e32a6f4573a67fa08337816fbb746a50

SHA1
87637e88a858b70224f231da8c1c6ce88b70a598

SHA256
197d08f8b8a912c5aeb2746c8de0f9e9127f2e6bf73269f4c00e0ae3d63ae282

SHA512
602236cff3c7be0f8e17c2af7097183e7192653a5bee879367787da6b656378d63ef05979d14604dec267205b5cb97cdbda9ca01588c5f9c65fb762b6eb915ca

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
825c1708566666fee05868298d0eba62

SHA1
898975738082384cc117e6c00c7af6d27ce180f4

SHA256
deff61e4e65be696f78565ebe9871635c93aa80a816585a8b4ae01c2cf0c19c8

SHA512
b64881c6a3c2fbf6dbc3ec34cf06bf1456d557d7e6236869e33302bee5dd6619fc5b815e431c6e2c8283fa9e4f6975feb5ed4c84bef14b7f87c85cbeec032dfe

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
c7c3bd4af48d968719b679728fda2864

SHA1
62d7e38ba6c7182f8bdbff9465decad5e73000b3

SHA256
ff18b9ee2aad9ab739144e7fc31bed5117b004690dc41f0e45567ce791d5e957

SHA512
64363b112fbd0f0208e54e2eae4944533f73c9d15a5b2841d720fd1c24d03a2b4300e5ebbd316e07228d95a16a77c2e534522d93ac926917f3aa80aea5453068

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
46c659ae16d874390f3b1f08d4418073

SHA1
2a915209d10e7644a1e41df7d33242f786150a67

SHA256
01c5267ebf60cc8e4b7b35a30f8f6f0fb93fea4224bcd571d08ee30d3463468e

SHA512
d866c66a3a571bd9d58d3079dfbab070e0ab187a9bfbc7b13528b9f75c1db8805e8d777721f2d3f34a1dad68cc2a1ed46189d86d7616121936d8f671e71d9b06

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
caa9131c3d0748e21d9578af174e44c1

SHA1
95ada8991528e2737343f36018c49aeed0125f96

SHA256
d0f345411c65d145661037ab04b8ed429503fbd452803658c44af592349ae16d

SHA512
50e85336d54a5fa37156d9c6e158ddb8fcf9bcab6ea4593a7cecb0cd705888ff968ac09e45f4aeeb147cdda1724f2b9e784e5251678ac8761efc70b0dccd7c65

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
fa151ce759cddf1d1e1c868c5f5fe8d3

SHA1
019501561bf98648a0855c9441a70c31a50a983c

SHA256
bb0ec247f3d55b96bb133dac9fb3c1eab06b825435643a0495ced5989e99614f

SHA512
9f92190efbcc7ddebe6305b5d904558f7f990c1db2437b898f64d8c9352bfa383ed602fa4d4b63bcbb07ed4f764c1643d116998759afa8172f2c5ce27e66b935

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
533a50db6fa8bf4a5db91bab0e568551

SHA1
e9a577903a6c85d3668a570fd187c97d5c93e9a9

SHA256
29255001dd91b57a6441d64cf630c6e9e67c126d50e3db5fee16a10c3b4a97bb

SHA512
f0d73f73c52e0033bdf54a8f77125113ceaef90d77e2e6a2bdf9d1162d658ed9f48040a966938451b9c9dd84b43336f92610ed906afdd31607aa96a70afab429

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3febf7cf927ad52a69695cef917a315d

SHA1
e04d0b865a171352904a48c4be795d4b70b858ca

SHA256
8c0c467d9b1203791e487d7584438a1e953447485a1d995dcbd38e6444e8565a

SHA512
f635e62df11046b4541da7ca4c60cc310b2c679482f5eb68a51d5f5f8db0c154bb62c3de74017757835cc3dbb7cd8a0eda4abd19ac907f91ed05b5565cda9c8d

Download Submit
\??\pipe\crashpad_4580_ZIEGMKDTVOLUUZZZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/324-642-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/324-302-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1116-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1116-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1244-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1620-244-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1620-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1620-78-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1628-12-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1628-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1628-21-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1628-554-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1972-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2180-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2180-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2180-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2180-35-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2180-9-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2260-262-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2424-628-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2424-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2424-33-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2424-32-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2484-241-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2724-301-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2724-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2892-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3028-254-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3220-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3220-298-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3660-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3660-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4036-259-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4548-618-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4548-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4632-74-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4632-68-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4632-353-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4632-242-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4644-64-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4644-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4644-87-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4644-58-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4648-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4648-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4648-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4648-634-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4836-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-256-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4944-90-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4944-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5440-607-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5440-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5652-643-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5652-555-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6224-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6224-740-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download