06f4f69313825895d95a88f5da4dd5ba13a272a8a3c4622b6e4da8d9a76a5df5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
Size

5.5MB
MD5

232ed512dbaaeaf107fdc4a445cb3d1e
SHA1

1855a7087e28a3b587b5cd5a59b785aafbb719bc
SHA256

06f4f69313825895d95a88f5da4dd5ba13a272a8a3c4622b6e4da8d9a76a5df5
SHA512

b5544cbf7b43f67ae409f4e3f81f4a3673bd5c4ec8f05eda74fa2bc517ff9b0876bea89f0babce4fa11301f0adb73de59dcc7d0bfc5cd900cbd95fe15a05cb18
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfv:/AI5pAdVJn9tbnR1VgBVmpnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1584	alg.exe
1108	DiagnosticsHub.StandardCollector.Service.exe
3336	fxssvc.exe
3840	elevation_service.exe
4744	elevation_service.exe
3052	maintenanceservice.exe
3400	msdtc.exe
3988	OSE.EXE
2672	PerceptionSimulationService.exe
3144	perfhost.exe
3984	locator.exe
1436	SensorDataService.exe
676	snmptrap.exe
3436	spectrum.exe
512	ssh-agent.exe
4580	TieringEngineService.exe
1420	AgentService.exe
3472	vds.exe
3664	vssvc.exe
2632	wbengine.exe
4216	WmiApSrv.exe
2060	SearchIndexer.exe
3840	chrmstp.exe
5496	chrmstp.exe
5536	chrmstp.exe
5720	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exealg.exe2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc7919b91ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d410b686ffadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8584087ffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083a56d87ffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b05fa586ffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006914ff87ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b50fa87ffadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfc1a786ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0f35c87ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035762088ffadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3828 chrome.exe
3828 chrome.exe
3520 chrome.exe
3520 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3828 chrome.exe
3828 chrome.exe
3828 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3828	chrome.exe
3828	chrome.exe
3520	chrome.exe
3520	chrome.exe

pid	process
668
668

pid	process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3208	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
Token: SeTakeOwnershipPrivilege	2628	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
Token: SeAuditPrivilege	3336	fxssvc.exe
Token: SeRestorePrivilege	4580	TieringEngineService.exe
Token: SeManageVolumePrivilege	4580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1420	AgentService.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeBackupPrivilege	2632	wbengine.exe
Token: SeRestorePrivilege	2632	wbengine.exe
Token: SeSecurityPrivilege	2632	wbengine.exe
Token: 33	2060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3828 chrome.exe
3828 chrome.exe
3828 chrome.exe
5536 chrmstp.exe

pid	process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
5536	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exechrome.exe

description	pid	process	target process
PID 3208 wrote to memory of 2628	3208	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
PID 3208 wrote to memory of 2628	3208	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
PID 3208 wrote to memory of 3828	3208	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe	chrome.exe
PID 3208 wrote to memory of 3828	3208	2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe	chrome.exe
PID 3828 wrote to memory of 5088	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 5088	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 2848	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3496	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3496	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe
PID 3828 wrote to memory of 3544	3828	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_232ed512dbaaeaf107fdc4a445cb3d1e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e3ab58,0x7ff8e7e3ab68,0x7ff8e7e3ab78
3⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:2
3⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:1
3⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:1
3⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:1
3⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4092 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4068 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:5976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:6052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:3840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5496

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x278,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:8
3⤵
PID:5244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 --field-trial-handle=1900,i,13317550782775041064,17389336233134164711,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2872

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5620

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5836

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:5976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
cfb8902a2e098d780a42800560862d7e

SHA1
ace9245ccff8f3f4d8b7fd2d752641091f5d5dc3

SHA256
80495eaca69b8dfcd2314374504ff134d790dafec3b7179f0acd6d9ef67a526d

SHA512
eaeeecb521071b8e7b271bd9a33684d6d867f8dfe77a95fa95a64c35769f3fa0947a66f148fce8fbea5e42278c12fa5112e0e7949f335970d5d880a3faf13571

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
55c1cf1e6b393fdb96ed17252e9824f6

SHA1
96267a4987b0b6428dc0be179b9e48f6cea05dd0

SHA256
31f8f8ed00290321f88e0adc7e3f485fe3406210d66dcfa35954fc59046dd849

SHA512
37fe90e8b98d9f57552113ee541647be27d0864b3ed7f744c8b777f7922124f3835c46d25c72553956afa3536066ffee26bf939ada7a56c70ff7489299457f2c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
6a494173f771916844c00bee37621e9b

SHA1
12880566ed0341014d7c2aab3070ddc50163c373

SHA256
0c0b25a8234727dcacd60d58df0e160110684956fbf92c699ac0182f489c7bfd

SHA512
23438ef2375666179b4689e23db250206033056447019c842c1fb2b47475bf0e2084ba34a18b6de734656d17b497078d90a9a76427273707f8d16ff4485aba2e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
323fedd508c964b9a798c569071e9c9c

SHA1
7d91aa10f8769cb7082fd5ebcaa1b683951a3f96

SHA256
a067dae868e4852e4abf272d895f577a64ae4f0ca1ad8b7d5be0e5f8ff11a2a4

SHA512
a63e7586a8689413f92f5ebea43f223c5c194922e73254d2df534cc97b2b3b8590d64f9f9300e644a097c806f20f1b9824f8c91722fce7db4b5732746bf0cb8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
08a81424f2a3685b6a365b9de0362d7a

SHA1
bebace274cce18720a8ab38972cccbe26d81444f

SHA256
844933094e9e65e5bcccf15fa821d43a36d666de97885aac108a0b759385a395

SHA512
75033fa6aa51754248af6153efcb5c4ef9002fb9cfaa60bf473d8231e9c89d96ad7d6953e44fe47805dbd5bc55f52f36e10b8594f57e52514e05b6a4340f71a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f095bb39f4df741bec69afaa4588484f

SHA1
31e53179edaf7d4c19223c563dcfeafb1ae6328c

SHA256
d6899c2ecb8e5bd97b35cfcbd3683238175a0fd113c4dbdc1ee51804f82970fd

SHA512
8b6519eb2f9df2b0fa85c3f7d9612d5ee9c498cd8ac24eed6be0fd6dc648bd88d87f36e249cdc274e00c0259854a0dc6e3c4cafe964291f672daab14b7c55f3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
036ae1bd6791281e08b5ea638dec1cf7

SHA1
c0cd83a987afe668fd54eab08e2972e385d227cf

SHA256
c7c3dc47972c53ccf3d3d4986aba68c047c1bb6631751949b45c3b3e21855b09

SHA512
c955d87b85bfda0242545565bd73e3f3f8937d4e4b0f3bb6caa2fc70e170defebed0d1de98050bacd97fc3e92e6002e7f87d4a817a9d31c70673515cd98c3466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
74e924aaea44f3ba6ce52c7bed24b52c

SHA1
c3fe340d1fe648119f6edbe38536dbed1dd3fbad

SHA256
da0a3554d4fb268b3b6d5afe370b6db6355598ba7ad17062a951df4cd343f01c

SHA512
324a0b68dd09bf55b70c25c2e5d65ed0919ebdb3c48c69dd625df8ba3df381d0314cda57a7e7279bd8bf9e0102866b9436c6bc0fa0636ac11514e2f1dd006f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577e38.TMP
Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
f7feb5f814feecbd44147656eb87c061

SHA1
a08744f8f8fbf4443b3ff8731f574be09c8f6dc5

SHA256
3c07759c8689c0bbc91268b3464baefe9149150ffa80f0da30a76df88a9fa064

SHA512
7f0a7a2ffb19c7e87821974da21de537ebff8c870ab5c1b223e1f513a62ba0eec7bf70bf7223b9d2aabbdd5837f2c4c3ba56705ede1191502e6491282d87fd89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
b160b4133c73b7d273ac674a1ac3655e

SHA1
cec6ba3602969694fe9c06fd9cbdd4de304ef773

SHA256
8d8c90c36b7451faedbcd3f606581582c839d827023e271b98bdbbd3d6849b71

SHA512
7a58149ce6a27b0a3edba21759d89e91b12e41b172f7fe1b17eca1c48d66bea848828f136483f86e97a685548b04741f7126da3638686719b9ee6c61b110922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
28250eccb08c01e9415cc7cc54e18a02

SHA1
56048196a67615a7d085cb47029cc0a3c8244461

SHA256
1e4224ed79a24f83a3b73080c58e3402f1c414acbbf8ffd0326b910129656b45

SHA512
0cd39c33876ccc189b198ebf23220ede449d2974d0c05123206f45b589b6433ad59bce2e3bc3ab872deb7fe1ff5cb4aa0333973fbeec797b7fea1541bb70fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
53ff69fff1e54f39215896b1980491f7

SHA1
9695ec4b2da4023dab7e267117811fd53c0c0b76

SHA256
17b75f327d36a231a086cd5eeea51afd12e28973d4863c6f64942acc161ee5db

SHA512
4fe9aa5d76ffecbc97fd2efd88531d651b3786a2e4a0012c86d25ddfc11dbea85fe238a07b3e5600055e3e8d598afd340ce05c175046054c046cd01eccc57322

Download Submit
C:\Users\Admin\AppData\Roaming\dc7919b91ed82f9f.bin
Filesize
12KB

MD5
0fc3f42537aebd1bc09482eb874f7bae

SHA1
bd2ff2ac0e7a6c647c43a42af5b4c2d110c8012f

SHA256
bffc10ea386c4bce315ae1d198fe58697c3cee32011f093d0ddd35ed05db5479

SHA512
a59011e99446e27d09803d3f8a4e9168feb93f1d5beca6a956ca3dab0f9e90992763de78aa328cc52287294f17590b2a0e9feaa1ac98cab3b23d10e73b7d47c5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
a31275479bd0007b67b084fa18f45164

SHA1
61e781d2b2fe90225c184d7e4c124bf520787c70

SHA256
7a0c1ea54026ec997551369efb58fe3f02f8c94b887fb73c51f30ab9c5f2220f

SHA512
470ba55e4a5212fe29affed2adcfa8b8588536b078fd29688e0c8d824d40e9763a69d31e698f066a1a521124063567379d8ef5390285609713572c325d2cb602

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ce05d25425ca711011c673b41601e16f

SHA1
3e93ed2b81a31d2ef537aecc9742bb21d72ba57d

SHA256
11fa0657612bc58aee26278932bb47e028d5772bdfd38cafa2c0a7c1e1e924b5

SHA512
a9588847d6bd20c92581c06d9fbddf110287140ad4ad2256e97eee27137808bc1ef7d34661a4b4c201bf641fc9ca4c28221c15a026246812f5f16469d820a657

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
7ab03cbd75bb5e8f3d395e5d242f0a5e

SHA1
5e7118b533c95924b5457ab12e1c5234871a311e

SHA256
3c0334b131c7161e2ace591b016492dc2e6b89be4de5d3d71cb320d36525fde5

SHA512
847d9d700120c3a04bb71c71d037bf213a0b39731b79abca24cfa45a95550eb0efe4e163fd9ccb53399e4e2aed63f2feb5b5f320ba76317c6cd84a6a3d4565c8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5d5c223db1f0d485f572f6b4ce811042

SHA1
c45cf449eaef260bc8c0d74203c4be107dbcbc47

SHA256
eee9f0ddcfdc47ee53c5d58ef86d2579151d1485ddba9e3431ea4b1e5862bc44

SHA512
0a1f136699e4f959c028ad0e59bfb4faa67eb3783d8ad8aa6fb724de152bd4244a29be71089a5b7222c469456dfe9e49ad4e6b27dc87ca0b45174a1180410198

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
95c377ca189248bbc1a5149dcf69ebb8

SHA1
02117f146874da724d1ba6c8989d06d279092528

SHA256
b1ba15fb52dd11581c435e296b4a15e3f7fddb3bf4b6865a35977c7ce4cfd38d

SHA512
77461f1782925471e159a23931444e402ff7f88090a9ae813ae4af25d8a64db4bacce788b887bda17007dd788267ee6f4ca57bd4e7816194e75fe06ce882eaff

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
dd7fb2d968a83bea50db76c066f2a57f

SHA1
4f43999ec187f6ded04cf3fd613b6df06659fa43

SHA256
4f38905388125d34f435e9c4992abcf0df021f63db04c647fa00fc019fd9c81b

SHA512
4cc9f7e1c3f56342313bc736bae0587401d1df37217874b5034d395e8409e2dac70cb6d76722d5385bec87ea4d67fb218879b59c7f3bd2be0c829f7d068d1834

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
92ceef3dc45c38b605b67c52e10602d4

SHA1
ebf9f25d3b0c60707c3f809ce0cd41571bfb48d0

SHA256
9b55138f0f99a944da3e259976ddfd7af2d996cca9189c7de77a9e0a5798ca95

SHA512
fdf9adfc66f97cad4920c7792a5207621f6e894df956f099f26bf0080dae20e8edb37ffa1060f3a3d078280065a85ba471a38577c4909b468895d7aec4d25e0c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
00f6981cb053f92f74f33a415a77b096

SHA1
a45651896a58c68366667583eb2f51ddf8199aaf

SHA256
7f2a640730b652672bc7e8057d050ffad3905eda78610194cd7fe1f122786c43

SHA512
69184c26daab48673ea51416337a4b6f948e4f5af0e8c8c3582056a1511934470a6fa6fe64a0a20ef21cab20f8ec5378a6de1d9440c979a5459d678b4c16e7f2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b0d2300babf2c89cb3ba7d83e3c48830

SHA1
6d1be0c141d6d1cfccda877cecf13bf5bae9c71d

SHA256
6fe219e3c45515ba45257ee32fe679d8e4094e2760ca38114b093b4b6e00fcd0

SHA512
e735f0c2bbcd7772f7a8af289a9ed648414ddcb0bf67a713dd9cef6f3457a91492eecb9bb5c626ee6bc3ef79fb3a9865645bb7721ab54f679b3630baed6b138c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bcd56885599eca978aaad76637a5f607

SHA1
728773cb67f087a313cca5400feee8801803b6c6

SHA256
c952b714ac308d65bbc2dba1bc3f16e2d721509e8793c3c15f9cc2fafb5fd80a

SHA512
f8421cc5cff63cc4a37ac3e9c6a90ef6c51a1f6bf13ac5354aa7b786e82be91c3825748f4c2266c329156f6b2fc8f80be87b2360861ca084e8b89b1e92753070

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6329677437c2c2f8a28e824a802548c1

SHA1
f41b9830a889905ce19f945d512e1e84fe392bc6

SHA256
2c4063116efb5c490841e1a3862797bb1092d9f338a2bee7542002b880817ec4

SHA512
b229803c1fff0ed39cebc0533d2106fee2d6b2186d3b3806ba43012b6517ee1246197ee94f2864562892cc00250cfe79629c77db5a115029d8834c4de9dd2921

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
71e751a514104d52c03938d876a6b368

SHA1
19560681e7b2ff40745144211a35c2d2b41f1a87

SHA256
f5c168ce525b91365e20f4f0996b359b673ee714b597d045088185a242c3dcbb

SHA512
d0597b02f4649db841b66c3c2b7ddb2e3d077cc4adf42014c3170ac0c410d10cec47bbef143232073d0037117edaf7d80506d586e16200c73a4b1a769bcc6293

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
211e6313924f951e1f73af67828f7352

SHA1
02c340d00206869b0586c7fe085dc1905c66764f

SHA256
f1723e7ec8b72291d50853e227273364d5d356e2a53189176632a6d0e09e8fbf

SHA512
b700a4ddda3e5763a078e2b3f5533e8faa508d36aadd4d90b925d47df95d90230f3de007c4a0509910d6d0c0a5bd710e437726eb014bcc14a100de9072525f7b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
1eb34a34ab84a170db6b15f5274d6a04

SHA1
53383bff55b4285b049a6ac2bedac7e1c33b0596

SHA256
23576f49df388c60c31dcef1f15697f8442def0f9ac6d662a582032ba35d1f58

SHA512
30b734798fd7e3e483f8ec0269fb70b608299b480e07a08689accb66f45bd67bcff35cf6eb78eeeff721795993fc8ab9a2f34c25533476ba15bc2581066874ee

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
b192b80401f67de18b71774e1afdb698

SHA1
1471569f6137899c29a01f5724099cfe9ea436e8

SHA256
8dc17c4a678b50ca09912c1aa847bac1de126e2e0264daf45a6eb311d09a3257

SHA512
d52baa5c458e57ec27b2bf432824102b524ce2819fc174c5c2487110a091d4f7b8343b71b3ffd0b0f8747ff6f9cd1243757bd8bb18bd685dc5ea210fc38a3baf

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
dc950672a25c868b5e98ef8ed28f6157

SHA1
7363f8a73c0b54acea8078c416be2a7efb535640

SHA256
6f0c054f09aaa449062d5147129bc49e3e1a347cfad460ad1ade4de70d18a1bc

SHA512
3b6695873664bf42f22d635bef3285f50dca42484b31a11aa68a68468e19525f829e35cff20df66c842e30d22c664153f9c1f4555b8a1ed284900bfc338edc1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5e97f5bb1aa9ccf0d86cba8a6e97adba

SHA1
edd09b77ab159658c5ecd6430323991b0ff64b49

SHA256
94ae0595cadac5188b9b7b5ab34d01f6ac4be534443208c6a11e8fdddabfd86c

SHA512
6fc54ad174d44788e3b00c516df84a85626f85e85091a531a95386cfdd7820e1dec5153c9f6718208ff9f8a3d882e696012ce9a52faf4f470614166f3ccaf13b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f4e60e1742afbe822adec97988e3410c

SHA1
133574dfbeeda665e723c12b36853c4b12d01db6

SHA256
a145795f467b8bd8eba17f1e7558cd95cb506881e91b3da4ae5f8a77e125f2f7

SHA512
25495d921411d6e6f087ea5c4863813dcc149ec2f9f11624fff3d18e1d2934ea58d408a9a3eb80e615e268a0fe9aad7e7fa8cb1d11da3ccb9dee02d07fe4ae55

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
\??\pipe\crashpad_3828_JRDJPKUWJMGYTHLP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/512-323-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/676-321-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1108-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1108-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1108-53-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1420-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1436-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1436-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1584-628-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1584-36-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1584-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1584-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2060-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2060-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2628-620-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2628-11-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2628-23-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2628-17-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2632-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2672-313-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3052-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3052-89-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3144-314-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3208-6-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/3208-0-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/3208-20-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/3208-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3208-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3336-75-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3336-62-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3336-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3336-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3400-311-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3436-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3472-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3840-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3840-66-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3840-72-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3840-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3840-462-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3840-310-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3984-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3988-312-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4216-328-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4216-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4580-324-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4744-631-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4744-309-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4744-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4744-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5496-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5496-717-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5536-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5536-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5720-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5720-723-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download