e2139bde71ed165fac768f717285c1584486d101c1691662ff015cc361920baf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
Size

5.5MB
MD5

365d6cfeb83a52897cb8f7f32ac662b5
SHA1

5fc8e2b9ee7528c0d62c9899efbde077c04a0292
SHA256

e2139bde71ed165fac768f717285c1584486d101c1691662ff015cc361920baf
SHA512

e10e2e5325b40210475a1d2e2afe8db06b09b0d5dc816564df10e6ab1ba4c0a825ab90e71cce530b39dcb521cda45617e14c1a6436cf85db6f3f3d0795ddb494
SSDEEP

49152:kEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:CAI5pAdVJn9tbnR1VgBVmS8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4864	alg.exe
1672	DiagnosticsHub.StandardCollector.Service.exe
2900	fxssvc.exe
2356	elevation_service.exe
4628	elevation_service.exe
848	maintenanceservice.exe
5092	msdtc.exe
3348	OSE.EXE
3616	PerceptionSimulationService.exe
768	perfhost.exe
3832	locator.exe
3320	SensorDataService.exe
2512	snmptrap.exe
3100	spectrum.exe
1944	ssh-agent.exe
4384	TieringEngineService.exe
1628	AgentService.exe
2232	vds.exe
1248	vssvc.exe
1572	wbengine.exe
1220	WmiApSrv.exe
4916	SearchIndexer.exe
5784	chrmstp.exe
5920	chrmstp.exe
5716	chrmstp.exe
5136	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc75fc49293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059210f6af7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c5deb69f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bd2006af7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000990dfc69f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041a3b36af7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027be0c6af7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4d3e169f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cea9186af7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610416947690476"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d133226af7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fe6f469f7adda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3016 chrome.exe
3016 chrome.exe
6912 chrome.exe
6912 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3016 chrome.exe
3016 chrome.exe
3016 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3016	chrome.exe
3016	chrome.exe
6912	chrome.exe
6912	chrome.exe

pid	process
668
668

pid	process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4932	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
Token: SeTakeOwnershipPrivilege	2096	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
Token: SeAuditPrivilege	2900	fxssvc.exe
Token: SeRestorePrivilege	4384	TieringEngineService.exe
Token: SeManageVolumePrivilege	4384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1628	AgentService.exe
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe
Token: SeBackupPrivilege	1572	wbengine.exe
Token: SeRestorePrivilege	1572	wbengine.exe
Token: SeSecurityPrivilege	1572	wbengine.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: 33	4916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4916	SearchIndexer.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeCreatePagefilePrivilege	3016	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3016 chrome.exe
3016 chrome.exe
3016 chrome.exe
5716 chrmstp.exe

pid	process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
5716	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exechrome.exe

description	pid	process	target process
PID 4932 wrote to memory of 2096	4932	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
PID 4932 wrote to memory of 2096	4932	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
PID 4932 wrote to memory of 3016	4932	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe	chrome.exe
PID 4932 wrote to memory of 3016	4932	2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe	chrome.exe
PID 3016 wrote to memory of 3148	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 3148	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2208	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 932	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 932	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe
PID 3016 wrote to memory of 2180	3016	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_365d6cfeb83a52897cb8f7f32ac662b5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272bab58,0x7ff9272bab68,0x7ff9272bab78
3⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:2
3⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:1
3⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:1
3⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:1
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:5672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x288,0x280,0x2b0,0x27c,0x2b4,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:8
3⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1904,i,11983117717212243764,3613404140091026133,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1508

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
10675ea81c7bcccec8a5b1351d9628e8

SHA1
346f0146d4c2aa0e0d341b1f495eb6bc660b6363

SHA256
12ebc6485b24877c41d76a3339cbc8b982c51340c00d4e43833500a2d8eaa15d

SHA512
5ed6b6fc1a909e2ff1a576976afcc7baa7e387813a7bd5a0640a4173736373c9fe25e294e0f0bb3e997a4f3aa6733fcc3552d9df727253434b414dd1ded4c1de

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
34ce045a6b48424eb54cd7a505783c2e

SHA1
9293ea6b1df882d6eb9c1a77fd7fe7af6c850558

SHA256
0876df1f892bba35d4f9d69b1264e284da37906763de95f613203a9127dbd754

SHA512
89f223007918847fb3100a3ae2c6eb26ce538a613d1179d06bfeb1c1cb029c80e13d2493e5420afd267c19167e65b134b7eb513399dc38b98b7fe14389773fff

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
36682d5b8693b61fb91289fc40e924e8

SHA1
b69af795fe8abe580009a34ad35f3ca2306f2b49

SHA256
d260f9c202c992730dbc922ef3060a2ad146f5d388a60b8ce22cd2b51297640a

SHA512
9893293dcea2952cf7af482a4b250aca0526d52ef733b60519d0816c2baa1c1c060cc80fd175aa3ffa38d488ddc7a69577a38a44b23f69eb1609e688ef7ad0f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
bf9f4961bedb8c87d2a31cb77f540ae8

SHA1
bf74db265f486190e2cb95d027853ec094dc61d0

SHA256
bd0c0ab62e803ee08cc8325cd8bfee3b285d5b9ad81649e1624b6002ec6f6d37

SHA512
2cf913c0577d44e6e589236a2df9f08ef108e255c968221d6137eb0007fe7b85dd85d6e599aabc89f15ba00c614774dd2f846c485996d86b9d16bb8604a85c4c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
cc3e7c9514bc4760ec8e280ca377acf7

SHA1
2296906b64ea857e5308df4ed45db80c46941f14

SHA256
d04d7f5d5eaa6b925a8ce8181eaf0073343c25f3dd64cfc76f4eef6d0ddb8804

SHA512
64a729de3404b8ddd3bd79d24ba556a56f01a34b238e1b3f75ac09ebb85f9537aa36baf028755c52ea9033a9c0f031811681353e368e209bd3d2f30e24d7ff5a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\aed89c1a-cbb8-48ad-9e0c-7bfc2d89d3e6.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e72f032971b8c765521e3e320fa596f4

SHA1
f8d007b2065d96935aa95c55709bad05a2928ae3

SHA256
b209af1d25a6b2b2fbcd873681549378819103468c3e1ac5fe4b3a577b6d0273

SHA512
65099b5372cc938e00623925e0bcdda46683823364f2984767328a47f74849d6041b2f4f621e5d2479b328a271d72e7a2a1c5b7488bb6ebc54a993e390226078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b285992b17e323af513ca2a56473f081

SHA1
1798bd612077d435015c8f577a8437094acd9563

SHA256
ac747d1643d16b9390f2fd70f050fdf9e30733ae85460b32e735845f4d95a035

SHA512
2d8c9c1b4b16784b4fc4bc5e817f11459fbe7fb05bcb9de8467939dfe5b1ffc05d542df7924ceba1e3b2ab6459041ae93e2008b24c0d81041695aa20076056c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ffdcd93187aebc3f615aa98cf35c55c7

SHA1
0c99d8c54b4e5c43ad3ae2997d2dfac4f0981365

SHA256
77abe0dc5384196a532f9ee9079cd2f7a60f7f26d2a0d85f3424c56d5f2f0950

SHA512
df559234b44a57c80123fb2b1eda4f2817f0406c462be16eff11babc2d10528c40a31ca55ec2dae391db5a059613f14761f287c66e7b0571e1f4ac207865f9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5782dc.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
505e05e67455fb6f798e0f819619ec95

SHA1
59c886d7d0be9781c0fa59144a70eb48c19fc3fd

SHA256
5c8ace9e2aebac95f10ccf7727b0e7512e7a50986bf0291a0af8a3eae05df82d

SHA512
28fe7d439f3072094243b9ff09285c42e74245da950946addc13a0fb35f533c8fdeef191d649215ea183eef042d5a94f8dbe9d5622788afade6edc894eca2d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
330ecff8fc0fa4b41b0544d92d0bc9df

SHA1
507d482e15bc55ccd3ad51d5a8f2bd58d062b740

SHA256
d2e81d3b0eda1df38a398883a6e73c24c6a1557f99e6b0863e53b777322bf32e

SHA512
a30353374b46e6ad954a5f73bb68501dd75b6e2a59d746c67561cc705d128a945e12fbbba9af1c1cce9a62d0653fe825600331464337f1fc29acbd7ddb7763e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ae78d220ba7a7f57abb285857bb5b3f7

SHA1
dbee1436bbd742b24220d73084f710a881974afc

SHA256
7d3a19bd6934892dca7fa2f340a50eb7f6c4e816f7f49a6e0ffef6da5fabcee0

SHA512
5b0ac1a700ecac1a8d1f7d90ff9906dcbd163471ddb75f1e13981587b211af4833935c7b82e29236dfc5afa900a603ef9041c5f5bf906cd060681aacd25e41eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
1792fd9e4132bb5b703cbe38115a0d1c

SHA1
9ae8fc2d50c7a5eadd1c11e77a312c4972be640f

SHA256
a96158a8df58dc77a2c4edd23104f980b13326179b076e22093720c1d5fa8ca5

SHA512
d70990415c43146982e7701a4228f17a6b657c83e2d2122311a8d4ae32eff7e513eafa16055c9e8fc181dc4084d62e9a86f3bbcd0ba7831ca13019f212e248a4

Download Submit
C:\Users\Admin\AppData\Roaming\dc75fc49293b476c.bin
Filesize
12KB

MD5
1fbe325be34b5bfd6be06a1e3b18c6bf

SHA1
b875bde13328ef1558a6b1e9530ca5cf07f49080

SHA256
0c42a66a591f0dd55ce55f4b10b4762df7a09503b371ece8fc7fcbd5f312501b

SHA512
75e15aa0d2d351d5f8f8b7dc2a4efb28c9f11cedf992dd3bcf96fa16590a583b5aedca26258ab3bb62097b5447e6194253aa6c7afcc337e4fb2d95378a25bd7b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
1a7ccc956c0eb137ba229aedc9acb2c4

SHA1
a111d40d30a57d457424b05238d750b6e1d4db7e

SHA256
97adda4fd2cd90368d35a9b19451c9fde74680ce3022d4b439f7b7ff82ec2294

SHA512
f739c38703650007ca86ab52bfa581fe38962bcb540958f4c2038b851ff06793737ce967c45e624ca5654567120086f5adfd9665447490805c79499816cb92de

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b44a93c6f720c5201b81ce962524f9dd

SHA1
5e28ad31a9946076b65867dfbccc63acf5211abe

SHA256
afaf792da9abb3a288a12c298d36f3d3cfc126235f1f00e45ae56f7542a71e50

SHA512
81ad68ffe658377a12ff12de6b7f83bb5e211aea72abf04b32f513a53da412ba3340482d2297f7b174d471d5e9bc70b9eee10bf7fb97bc3c11094a27a8d9eb09

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
f51bc6a466f7b87c1b95904239271e21

SHA1
d2bc0451abe1505bda9843deb3b343417ac255b3

SHA256
782400ce48a46edbf46764038742d8a88bd308e914341261fd1218cdaa7922d3

SHA512
955d5836b3e75edff6d13092e24c42cb3177c1712fcd57755a092fa939d210e93c4937ddc511b19d51a293a1d11307635b102daa371e0b2dd6d6f2b66b74b0b2

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ff79aa1d1ea3050277b58040e574dfa8

SHA1
6133e391d194f9148aa82d2e7808b2f952f2088b

SHA256
49d96d31c77c91fe4f5d447cf23b9642846c726ab02fded7565770520df3b074

SHA512
c1f1bfdb0d797a62a09cda703536aa55ede270d0d5ef1995da062c4b1ccbe97f9d6a5c4f8b64699bd3dd64972a06f88aebad63b466c70ed727065e9e75f6155f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
fac785f002db63ac604774ccca19a6f2

SHA1
ab8ac1f7a48fe1af3e3c1930cd62f81e4a962993

SHA256
a44d0394e20d8cdcdd2ca463e0b32751f982de24a6c7f3e957da316fad16bbd6

SHA512
ac7055e8ff05de320174513517495a0a97e563fee6e67f02c57c31e3e358d9a3b40be94ab18c6411e847654c2fe02024633a5150a7b40e11fd201a9ec8d5aa9f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1914dfb33f54264b2ac2e6aea05d31b1

SHA1
267acad656f22205111413e27527e2af4bce364c

SHA256
6d7061d1540d7058a33f75e5de578c5d2bb60be418322e510b033b705f6f6bda

SHA512
1fb1326923ad0f306df8a797a6b902521334cafd786466bb593edf47a516e632f102cfb0a210497779c7c68ae2c5a06d83741b67fa902ed79e26f5569fbc9ab8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
bf50ba06805996f9aa25706a6e293f9d

SHA1
e2de35753a3001540ed8a19299ffff5637f30a9a

SHA256
0b33754dc2599587f951a1b2ea03b2fe8a597ffaf320488bb82b61cadc04bccf

SHA512
10f8426ff206efc08af3bf868c323dc5c397d4bafc7c4d1e2c9964a90eeb1dce024828d5024c10b93f048891ab9729d4498de93de14041c28a6310373f9c2202

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f9bcb5dd6f27efc8f24c0d065c5df0fe

SHA1
0763049f5bcefeec26c50a55a0e310159e3deb64

SHA256
0d8c14ce742c23f4a50c1bcccd8afabd0c0a3931ad0e524761104fadc5bc4871

SHA512
e9a381694914a26c20ca517460a9fc062eb608e4159fcc494704943a889eef1fcaf2f1dea3c9a427462073a4373a8fe03aa7b62bff88724b57ea3004467f61d8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6cf2b6554cd2ec54368fd27fa67885de

SHA1
df5201edbdc9d9200f14d7a6e61463761fcc8d9c

SHA256
c87db059b0dbcb6b870e9396ec45eff20f9fcd84ce9ca9a18e7328460557cb02

SHA512
e2f31142ecce8a47060bb1a589cf4d4c6ead2623ecf48edc3e59cdaed87526f468b9e69b4bb4273e7f7a8ad4633a1955ef34e4f2535738738484e85b8f7aae1d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e1b0c09999b73897d4c5764c9d0b3486

SHA1
29a06cd95909906c617710cc7fdbf6a515c11895

SHA256
3c3dba67ece7265157fc785ca3b765f52bb8f1a8ae1fabc6a9507c9a0c81a343

SHA512
1a82e27379c411c288bfe56155aeb6814cde73a83da0bf4758ec5b9a4761c602b763489b9a0c6f496b7160af7c8e71467f985e115e6b96ac44bd24ea44c7194a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5ee4cbf296316e20c5bb48681dbbb540

SHA1
955f86c5d84d4053b39d816a303609df81eb6f21

SHA256
75d8824a05e9ff7a8ed09627ed7f3f022d6e183c9a44ff506a9736f7dd59a0ae

SHA512
aa8078b5fb230e35596ad0075d58a606e04e2f180764edeade0ef549f555f7005728eda5afff8917a7142e48a86fc5f103bac8e294a2fcfa323640b4146359e0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
667f1a4d894634bda6bf7d57e5b96521

SHA1
2a9f089176f7008877bc04f8ccae52aaeee73f25

SHA256
f2e9646808796d9fc6c994fb9dc5866aae37c1153dcaf2a1aef4f2da5b252035

SHA512
929c62869f58ad46fe0cee578a7b0d1a7da04b3626ff36be5edcbc8e465671648ca51a7e6545ec3e8c38a670cb7357f7d04c97da3418e03a34abacfd5f43a3fa

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
1b07d72010a50887a4e9fb8f27fcb023

SHA1
16aee25845deebfef8e2777530b37fc943cfd52f

SHA256
7f02ec315c150f1ca42efd2862558b8ebdf7c01891c16fd57164264c4724170a

SHA512
1044fb158713223a9673210592ddf9cc8f20490eac01f5b3a2b11ca509bd76f1feaa44b00ea6868c005d5767aa99c1dc0f9db08d816f2a308a711c29a52c3531

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
248350ee933ebb4325d7a6f2e34a2aec

SHA1
30c1558f0742a32664f86d1e589e679b767b13f2

SHA256
f970d94316a47fa3f707e9133e2ddc775951d5d4eafe0dbe5bb411d79d6fb29b

SHA512
0522d01c0362c4b70c45409b7adce99944c6415ab75735d5a213fb2f016c8c664d4638c0a549a02bf544dd9e7563159ee6304b36012a6d727e80551cc9f30298

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
70cf35eac16d35d112a84474ee8521fb

SHA1
2eeca842a429275fbec322bcd6714715aa727859

SHA256
0de2355457fc36e63fa90f38561e122e4eb15702b06c07997c1b416a5b1548c7

SHA512
95fc75e9fd12846f56c01b399da7207240b83a8de03e0cce84938b7abb259e0190a0b7b54ede086ac034b2109ebe72eb0d76cb81bed93b6899e2507296a195e1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a4234e3313e0f0712d1969a9ae2a9cef

SHA1
cb61f7f7bf02877c7dae4e2c6806160d70c4b467

SHA256
5b4060d80884ed667588153daa2ab3def838d55ca5c04b42dc299bd9f606c091

SHA512
300e92f03c44ac5cca8a0179b43830db8cb54a9dab3267d2b73255dddc03708e3448850688d4a109e5dc7234b358dad44a68e1da50bb4b447e161cbc3ea54b5b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
13da55039f179bcf8e9fa9cecb86b2e9

SHA1
b3d3adac50e113e689003990e1997d4928777bd8

SHA256
283d7009f991e571f32cd08a69d7009f34bf7666cab989f4f42299a4be2fdf1a

SHA512
9b0152e15ba999dfb8c1a84e7939b9762f093e01ccd4f1676df28bd753412cb9638466882f7f978724b81650e1c1b14daa523e213a2cc537500e8f6990ec25b0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8595f5f9af4a43fc7dcc9fb88c322436

SHA1
aa2873c984c55307e3c8549746030801d138d243

SHA256
3d6261114e975c135a6717a69ab4c5d82cafad2b8934178854a92799bcd3626f

SHA512
3fce81f427333921dc2f155887a2b65bf2c36cc1f4eec43976cd20393e91d7a708005b4bf529e2ce8589605ffd4fb6a427c476699cbd53527542596df216accc

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
\??\pipe\crashpad_3016_EIWCNXEFNYXEMNHV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/768-256-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/848-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/848-90-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1220-297-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1220-637-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1248-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1248-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1572-265-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1572-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1628-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1672-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1672-53-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1944-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2096-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2096-20-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2096-548-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2096-11-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2232-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2356-73-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2356-252-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-408-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2356-67-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2512-259-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2900-56-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2900-62-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2900-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-86-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3100-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3320-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3320-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3348-254-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3616-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3832-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4384-262-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4628-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4628-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-620-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4864-42-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4864-39-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4864-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4916-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4916-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4932-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4932-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4932-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4932-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5092-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5136-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5136-675-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5716-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5716-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-601-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-674-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download