c55702398c97397c31067082e373b9c46437e96c1958ffe277f5be35fecc5f7e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
Size

5.5MB
MD5

1123492b3ab3b2be524dbcea1c60895e
SHA1

61498d4e182c5b077a4b0be1fadf3be1a3eb4deb
SHA256

c55702398c97397c31067082e373b9c46437e96c1958ffe277f5be35fecc5f7e
SHA512

4eab2ab968b2fd3018ad043476803db1c6774eee5b3d0be1feb2bc9d9da3c846c231e56c89e8f2389d0c7108f2cced55678ddc3d677bcfe8ad5b864f5b3b719c
SSDEEP

49152:+EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf8:kAI5pAdVJn9tbnR1VgBVmfB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2780	alg.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
3996	fxssvc.exe
4792	elevation_service.exe
4152	elevation_service.exe
4644	maintenanceservice.exe
2716	msdtc.exe
2704	OSE.EXE
4428	PerceptionSimulationService.exe
4376	perfhost.exe
4584	locator.exe
4160	SensorDataService.exe
4784	snmptrap.exe
4432	spectrum.exe
4456	ssh-agent.exe
4068	TieringEngineService.exe
5100	AgentService.exe
2176	vds.exe
840	vssvc.exe
4276	wbengine.exe
3652	WmiApSrv.exe
2980	SearchIndexer.exe
5576	chrmstp.exe
5752	chrmstp.exe
5948	chrmstp.exe
6020	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8d8824c8e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exechrome.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d21d8066f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001854b966f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000173ffc73f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008b9bb66f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b90b466f4adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fc3db66f4adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053d5ee66f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093559a66f4adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f3f1b74f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

224 chrome.exe
224 chrome.exe
1648 chrome.exe
1648 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

224 chrome.exe
224 chrome.exe
224 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
224	chrome.exe
224	chrome.exe
1648	chrome.exe
1648	chrome.exe

pid	process
668
668

pid	process
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1772	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
Token: SeTakeOwnershipPrivilege	3592	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
Token: SeAuditPrivilege	3996	fxssvc.exe
Token: SeRestorePrivilege	4068	TieringEngineService.exe
Token: SeManageVolumePrivilege	4068	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5100	AgentService.exe
Token: SeBackupPrivilege	840	vssvc.exe
Token: SeRestorePrivilege	840	vssvc.exe
Token: SeAuditPrivilege	840	vssvc.exe
Token: SeBackupPrivilege	4276	wbengine.exe
Token: SeRestorePrivilege	4276	wbengine.exe
Token: SeSecurityPrivilege	4276	wbengine.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: 33	2980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

224 chrome.exe
224 chrome.exe
224 chrome.exe
5948 chrmstp.exe

pid	process
224	chrome.exe
224	chrome.exe
224	chrome.exe
5948	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exechrome.exe

description	pid	process	target process
PID 1772 wrote to memory of 3592	1772	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
PID 1772 wrote to memory of 3592	1772	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
PID 1772 wrote to memory of 224	1772	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe	chrome.exe
PID 1772 wrote to memory of 224	1772	2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe	chrome.exe
PID 224 wrote to memory of 2016	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2016	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 740	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 1968	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 1968	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe
PID 224 wrote to memory of 2240	224	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_1123492b3ab3b2be524dbcea1c60895e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1cb0ab58,0x7ffe1cb0ab68,0x7ffe1cb0ab78
3⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:2
3⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:1
3⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:1
3⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:1
3⤵
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:6048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5576

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5752

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x270,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:8
3⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4272 --field-trial-handle=1908,i,17617772887861084769,15772044210043656081,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4432

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5364

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b465915ad10da2548a9cb9963e7f958c

SHA1
6a2e7e2e79c9c5e4fa69f1b1b377e6f020edda0a

SHA256
3ed9ba5690f78a0d66c849d72f81377bc989b965c7457428b1070f66b86dd608

SHA512
0172f33417aa07280b6fe9157c6b1dbea55169e7dd5743544cea059307db6adbd3d63ba2882666f3aee8e7b01dd20e5c258df108e8a161998ad8ebb275842aca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0bc5e5aaeb3426e620c4e015a450f6be

SHA1
82e61c1494e64a4e7acae10e7b29b4e2d30c3848

SHA256
87413dc00064726ca37d7e1f3cdb8942242c88dbb933eb393d37151e08e85bfa

SHA512
1089e34c7c7976cbeef0e637fe2d4f9c204ef30ef16efeb3bea46912024556df89d50905fa5ef0124e6c5fec414c14236b3aec0d8f561a62354612bcfdeb6f71

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
2737e6f90f24213366a2753d079eeb22

SHA1
cf45a434b8e8d2f1cb5fba0729964e5c6ee793d3

SHA256
c247329ac45c2d2c2b1615b09719d3e0098cdb3a1abdec135087742897731c18

SHA512
89ee09ad47de93b37cdb0cc0997cf46aa244499543e0f6e670f5867f312070bad2bb594ca0febcf1d219f6da5c1b9bac6ab6b5dd3b2af736c01724e0c6d8e640

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e67e9d18c655a1cd257e875ff9172919

SHA1
7d31e9832d48dfeeadcbbfbd994167d61dca084f

SHA256
04c0049b4ad3978d7054036cb1d3bcb8b5eed3322a9c89ba81315282815d8049

SHA512
1d8fb862e0db55389ba5d85d2dd98e37e78c101b31bfe396c8829efd68bb381f5df8cd42fae0a2130e4f15e82878991758aacbbc5cc51cd8026c849d6f8bfe6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
b230bdcb856a4d0d7f0b01c0bd7df67f

SHA1
7d3fffdfa216bda5fb501ca306f7f04f460e90be

SHA256
28f89517a4b1d6fbb46957f60bb8e86a18116bfc8e442e8eb5c1015a15f5b13e

SHA512
4ec2769ff51529a872779440566204d6621385a77a7b7f8d15fcb1457801c29173d26bc2aed11d1376799f2468dfb1e776f203d0b52c75a949d2666078cae60e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c912fc52ed7dd199bc52fa47e25f7f0e

SHA1
136a94c6e775bb4ec52b90784ff8fc0cc40e2bde

SHA256
482f51c1c778b8099af9be635a21bf140c752212f201a894b41151f25778116b

SHA512
162ace730f49d757a3e5746e883af75339022145a3411821c7dd597ab1816c973e217cc408020c9da0805e2998cacfa790ef169f9be551c22a8d580b92710077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8e74ba2cc5f0c4a3b7c6991fcc5266ec

SHA1
3d0db58bda4f0fe82294f559e9a8d492e78995d9

SHA256
1645f040cfddca83dc08ee5c6b7cc7212542b50b748eb92fcff3e77deb66946d

SHA512
3b38144affd314ce8a5bbf8fb7375fb67f437099767df69f146acbc5321f6790f924503489d93e4d3a1fe00ad112db9da360f8ef6d0e43968c958b163ec3bd77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
41838811baab0b8afc5f853f9521b17e

SHA1
15b28e508e4c0d3fd2a696ce6962b2f914808a01

SHA256
49c733eb9c6920b520e864bfedb699231a7e71b2dd4ebf5309a7fbf0a7a0a238

SHA512
c06c6c4202a853e5b9ceff99b527b69d3ab87d74dc37a66ea1f5d3bf1c71551bf0ea61f76c09b342bce3b9b4a6c8692a5fc3ed376418ddef79ad14e51f8ad8ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
945c0de8393f28c328f99140c742312d

SHA1
8da26b2ef61d1a75cdc9d41d60a6a989a7cf97af

SHA256
9e39906ebb62e67e778947ac9a35a808449dd417213f9b82acd14176b49d0d51

SHA512
f4b84998c4611069b85384f4964e8e452bf7ceb7872e8f390e8f1d7b6126200cccf3d3f0e3834c2d7085e82a15876727f4fb5d3b25c3719dc4bd2f68da2cb28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
06758690563cd8e106f6bd2f84c3e19d

SHA1
ac431b2ec9b0185f7cb01a65b8132030262801c5

SHA256
764a03e9a1a9398b3281dcf99a08b0d4631078d43ea691720cc393d4f242ef89

SHA512
9084dc4412e95cad5c134579c05395526822f53db30a571cc79e42e28f2e4b65991f41f7c44e865d48dbddb2c8867dd3fa156cf61417f583c8244fd37dad5085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578482.TMP
Filesize
2KB

MD5
1d0245a0816fd932b1963600bab98460

SHA1
82d188a3a5fd107ed83000e16e41e0d67eed941b

SHA256
b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6

SHA512
febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9cd629780304fb48116203aab7292023

SHA1
5228cd4bf4fe9bb1cf0aee60f9878d741d5bb77b

SHA256
f8de673191c08cd1b700613bb276dc7f1aa55f861747921f154170ec48d63b17

SHA512
9bf41100fa48ffbfa52fa4daacc8dd0cf994f49a4d9b5073aad5a46d2e1795b63565d5fb32f41485360e8fc2a8c8f012abff60a33d9cbed80d12d33f8bfdf9c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
8c8514baa0cb6f30361023fbeba79ae2

SHA1
5766ea8df14748bc337e26c5d6a156e9c874c44d

SHA256
bf57b190bb0b025d24ae2ad8a9c2794f8d9a1431a4199443ed53a5bf1b8a3c5a

SHA512
a2fb169c9626ce95ea00c50752b8fd5a1ee20ffbaa8c43e8a54098ceb009eb71ce91a2f65cbe32ddf70a5bf647e1dc83d9d9b33081fbd31d15ab7401448050db

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8dd240ee331838aa58f3a6ebe1aacb06

SHA1
252a6cceb6b8e7c3f9e3821c8e9b19596f24091a

SHA256
8c4fc3f5091df7e5cb726ed7bbd2dcef171e3c173ae989f312cc0b1d27845e21

SHA512
065669386717d5483f2c955ecb4ca3f19140617d4edbc3b8be42cc25b21583c044c82ba6fe50fad2342910d5da88459cadecffc5550bd6fe1983b1d761c128cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
96bdbcadeb27c5322bcf415c572097b4

SHA1
90ca7083fb0e1d64f9e3db1cf03f487cec0f39aa

SHA256
da3bd69042770e69304617410e27e842d9f888667ae58abd31b8ed825b36215b

SHA512
7dc5bf090137a3944660af36cf0a4dee39c676c0e9fa07a2249e0acbeb98f0167aafbf7140c21670f2ba323f4e568616de4abacf290bfc694b1be591230621db

Download Submit
C:\Users\Admin\AppData\Roaming\8d8824c8e703f493.bin
Filesize
12KB

MD5
c9b71238d698250f3b71305cf4c2bf2e

SHA1
8258a30145a7b361953938931f53a9af667584da

SHA256
d2f68408ea77f96ef0b57d511704cea1479a7d25e78ca1953eba28ceebe3359c

SHA512
f3394ebfd5f6b2d406563f34f849985751299a81ce5ae21c3fc270d2850c16b41a44ca4fe7f4453bb14a41cbf9d98c28f1d0d19ea8752a53609a02f489fd7872

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
042e5d04fc287edbd1d183c7fe0ae3f6

SHA1
87aeac08757a12f1be12b87bfe884e8756bf60a8

SHA256
e4ad90cf826c87adf3dd9d0094bd05f7dacc234211e31930bee6f4909f5e7712

SHA512
d8741b68f7c2a47ba8a302ee593f33e6780aad41f7569753801583a90e432171eaa5004fad0b5f589dce2cfebd9fdfc8ecd923c7bb07195992901b73c090ae65

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1a52ca4ff26f77e7e65e78e534fb943a

SHA1
68467f4f8ebaf6de46b5f04f4e7135304acfdc17

SHA256
83e5f2c6b731d4e0ff7c6cb2763df2d403ba1eb3f167adebc5fde83b6467e2d0

SHA512
b071592d5de69c91922e7236e62cd97ea289cb9d69e5b424bf3ffd7566ee0808a5f943205f9470144798d85bdfd68b3dd7f331a3e2d022efe259e7d2f1c46e7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
7847313471e897231d3205e1b7b1cb1d

SHA1
fd754b2d1d55c160a4e5c25375c130202fe87b55

SHA256
9ff8764b8f2fd1dbccbc3a8f2864a7579af68fb93046565ead7ba5ac505042db

SHA512
75965bb6ba912f0835a7ac1dd52beed06eeddaa520dbfa56466195f68015a8427b89c1c218b76e50d3adb0209eee26a176b7bd935c157c57007a3a806ebe741e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fc2f9c0ec973e71bb4ed0ddafcfee8be

SHA1
7656e59f9d82deb378b5e0597533c8ef2ea67c34

SHA256
e7884ced1c21d385a84b0718d5baf77d70df61d1640caf791307e60a2085582c

SHA512
240f5e26d3ec03ba53336d9e479fd409f3f2363679d0966f0f6c5ba0556ab70a69f87ac59a4ed2340fbf00ae7d773043327b998a225327f3cc8967af2b4e5b2d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1fd7bb291dfd2298c7dd7f232cd54da4

SHA1
3659f089c838d1ce312e5738d0f8ce287ddd9286

SHA256
2715cbc5dd5e150ff3f5d406f930f9b154baf1bd1b18e6f2f1478bdef98a57f1

SHA512
4593b1e935add9f3b6f13b70b23ce6a16201c64f4d4f8290a9b5eebde4a46e5fe3164529a4c70184c3f04e09d8eb91f174de5085fb466897de1525ae4444a7b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b03f36e28666538b7886d410284c1d1c

SHA1
2f28421520dc8766c3d4d13e2bfd9440c4e82073

SHA256
0cbf3c728265933bf5ec7516947a94d4690d49d1ad3db88c1e2378e0426b849d

SHA512
7587aff2bdce697aeda987b50cdc7a99cc7d0feeba1314418e99ad6f1775e0a453ae5a67df41f2ed63dc7aed19d2e00f0863c5fa697a55800797667670970823

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
44f1560fad9eb44458c5c195c0cdeb4e

SHA1
266331ccc6a785a5fee9caa91c30aa36c8266f52

SHA256
55b0a9dcc7d50fa3031b1ca594f717b2b34e5a3090389952a8521c26613425e7

SHA512
c321081ce035624e03f64781498c166f8d5e96836cffbda18b43325f926e704daf0810a76a7208d9f8a1c99d9cc944cecbcb46c3514affbe41d01409e259f90c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
485c5b8940c1d688015d80e2a7062a56

SHA1
8599c541e18b1ec998b22fbfec2668547f997c57

SHA256
8760536911b58f3487d7553708d7a812a9fd4cca50a07e935803a3fa5c86bdf9

SHA512
cc125596e684042faeb729a42643f980887845a3922e0f5a06350eb042064ad8c2d2fd1c83a927c5a3fd69e2ddf8cc0ab977366a063a532102937395bcd1e9eb

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b9aef7781613c6f2fa7c517d67e18c06

SHA1
2746dd11d8c9387378f16f31722d84eb6d798651

SHA256
1f9512a6551f79828358d8659a84ca840182a38b6abeeb47ee0afb60bc33a8fd

SHA512
e1b9abe6b7315da0670b109403a93f309ef891566b6aad622f0c7eae04eef9ea3da24127c5407c7b03612a880b6bd9b111845f501f04075666568758c43442fd

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5513c1240b5924ec4dde20337e561cb2

SHA1
e507f30d71092fae1c06dc5b75a40cb56098c906

SHA256
7c07bf8fe1c8cc0f5ec1d10b992679d55dd79886cbc0ee437b1a13d8bd35e2f0

SHA512
45c9d8f29b8ec78e11fb24d8a74eb15ab5079e3218d5885e56655c974c94601f5c316e29a9154df859cccd33f26ab80fb87ba7026ffe92c51b2f93b6a2a9d29a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
82cafaece9691598211bcd05753d94b4

SHA1
d175312ae8866160e998c55c4838013e17017b25

SHA256
c9c30970d215b57973301859d0c4b2ffdd3c9e43638fff2ba735f37e464359ae

SHA512
f817b498e9928af2249b19325543f459a9d5fad7eb414a2fbac9177441128cad181e675b925ff3fef8f904581f6b390972c8b1b77e817a193d4f7f49809c0487

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
bd47b5261bb5e04fa4e3706fb56d02df

SHA1
049cc30202ee0f92f95f96a17556ffb27967972d

SHA256
25adf05b5c1454c01ad20a3327c2d50f7de835cdf13bf1a65e7e10f9a70d42f2

SHA512
0972a56e631b09a053271fa0e88a8ad700eb4dce768ce4f63ed63340a16d15d410ae301267456055ee227a8630b3d0b6acad869bf2eca0f95b1119483f19b257

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
8f9c68088df394708ef88bcf7068a740

SHA1
cb1244b41d845f9b323982573b0e14fe1193115e

SHA256
b729ab0e673c6cff968537cc3f245098917916d200482c56c82d04e9f90c4521

SHA512
2e7ebce38e9e804a6bcc22e3cca5753016968fb77c59ed26774128b386182f646f7740fd0d96ab0eeede6c3e887c7752004b272bc475046004d95de77ab52cc8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a270fd3ceb3f17cc8ff2befa128cd7b5

SHA1
1ab2bcfde5df1de98a1c73c2f771d5fcdc0c51fb

SHA256
c9fd491fe8a944d6106add3a670bab3b5b4521dabb71bd4d7f9dca81bc6e76c5

SHA512
c34a6a3461579b5222e59624be5c8fd6ed03d2df5696e7751ac060aa8a56f6804055c75989d560f8138964f8335044dacf273d7d39fa0978c5a24de04ee235fb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
0be6ce6211d0aee897c3710ad058c565

SHA1
842188e5cb775bdf20878661e24df7d64475ae5f

SHA256
b3dd6aca3b2f5d4a19542998e60bdd3e71abdc1d2ca896a51c7222b1722bf6e6

SHA512
027ab59cc5c5cf594a04b4711742b84d8fc02364f6f8091d39dd80b715db6d72846d389d7393b04c4a6016d082a87ea52f30e83c76605822dfd1a5f8851f8214

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5ecf095584b74cafe72d18a226c71ba4

SHA1
4858205f4a2bf85b2ca838c3f6490fd2d4e961b6

SHA256
cac8460d0c2e97311b1d9fccc21d7dea8a9e9190fe8a21ebd3722339588a166a

SHA512
722e7a960dae58b5c1d8f3ded6b07be8640e5b4cccfabc594086154b43fbd89d4a4ec5c792a9626853852d11d08cb7d6fad39d8a49420b7e230e5190b5a00e56

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
eb0340b6ff65132beb825570331968c2

SHA1
a482d46ae95a77e6677466e362a67f8e7287cb3b

SHA256
3955d3171694e632ab3198303a74c58ede4e817238af79ef9ebdcd5f598cd9af

SHA512
447675bd93545bff1428c55e11baa1a4d36bc267faece8f545d7abd2f78cdde86c8141100e73d8402bfffa3fa8de46d160def22ec89208c4addf7e7e1d9b9665

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3da25f4f59cc400f1609bc1efb1faab7

SHA1
36323a462f53cd0a92fc77d7d455d69be911058a

SHA256
bffd8d4509eaea074c32d9b5e2e124799bd31db980bd060061f61c1d7480a56f

SHA512
0169783fc32e730c317e3d505c3ea4ce708c3fc03f1ca3129ccc369b6eb08f63ce8817721042147f3ae05770ea85b688405e9de18764832798cc5e1942f76449

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
dd7a044bb22136e85285d21163fdef66

SHA1
1fcea0d904998de1bdea9cfa654a50c20b3dcc5b

SHA256
b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0

SHA512
67afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358

Download Submit
\??\pipe\crashpad_224_NMKLYYFFZXZYCAHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/840-369-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1592-57-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1592-56-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1592-48-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1772-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1772-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1772-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1772-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1772-27-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2176-368-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2704-676-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2704-147-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2716-125-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2716-673-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2780-525-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2780-40-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2780-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2780-41-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2980-695-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2980-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3592-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3592-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3592-521-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3592-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3652-694-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3652-373-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3996-60-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3996-66-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3996-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3996-82-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3996-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4068-367-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4152-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-95-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4152-563-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4160-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4160-363-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-370-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4376-361-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4428-693-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4428-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4432-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-366-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4584-362-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4644-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4644-97-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4644-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4784-364-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4792-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4792-79-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4792-70-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4792-76-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5100-242-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5576-610-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5752-696-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5752-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-600-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6020-793-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download