eb420a2966bdf346be243fb87e0dc9353a141c67e826005d2d752fca90158bef

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
Size

5.5MB
MD5

405b858b85ebbdbeccdfcc5bde29b0a5
SHA1

90d403ff436b8e203a0d2c03cdf1d3dc037786ba
SHA256

eb420a2966bdf346be243fb87e0dc9353a141c67e826005d2d752fca90158bef
SHA512

1037f378761d6655180200e30fc8688458cb36704d5ec47568f7048db2f1a4759a957f497991ebffbd99d90113479e1f2a87470fa3b3d6d239b412e953b73ea3
SSDEEP

49152:FEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfo:ZAI5pAdVJn9tbnR1VgBVm/B2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4620	alg.exe
4316	DiagnosticsHub.StandardCollector.Service.exe
3044	fxssvc.exe
3648	elevation_service.exe
4540	elevation_service.exe
3816	maintenanceservice.exe
3716	msdtc.exe
4852	OSE.EXE
4796	PerceptionSimulationService.exe
1044	perfhost.exe
3852	locator.exe
2076	SensorDataService.exe
448	snmptrap.exe
4544	spectrum.exe
1632	ssh-agent.exe
4760	TieringEngineService.exe
1064	AgentService.exe
4908	vds.exe
3884	vssvc.exe
3272	wbengine.exe
3912	WmiApSrv.exe
4348	SearchIndexer.exe
6120	chrmstp.exe
5228	chrmstp.exe
5628	chrmstp.exe
5740	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c37074bc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc7ffc9f02aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f57e1ba002aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610465043252928"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000210be79f02aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097cc29a002aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c50563a002aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000662e4ba002aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bcb48a002aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

816 chrome.exe
816 chrome.exe
816 chrome.exe
816 chrome.exe
1596 chrome.exe
1596 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

816 chrome.exe
816 chrome.exe
816 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
1596	chrome.exe
1596	chrome.exe

pid	process
664
664

pid	process
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2312	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
Token: SeTakeOwnershipPrivilege	3076	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
Token: SeAuditPrivilege	3044	fxssvc.exe
Token: SeRestorePrivilege	4760	TieringEngineService.exe
Token: SeManageVolumePrivilege	4760	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1064	AgentService.exe
Token: SeBackupPrivilege	3884	vssvc.exe
Token: SeRestorePrivilege	3884	vssvc.exe
Token: SeAuditPrivilege	3884	vssvc.exe
Token: SeBackupPrivilege	3272	wbengine.exe
Token: SeRestorePrivilege	3272	wbengine.exe
Token: SeSecurityPrivilege	3272	wbengine.exe
Token: 33	4348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

816 chrome.exe
816 chrome.exe
816 chrome.exe
5628 chrmstp.exe

pid	process
816	chrome.exe
816	chrome.exe
816	chrome.exe
5628	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exechrome.exe

description	pid	process	target process
PID 2312 wrote to memory of 3076	2312	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
PID 2312 wrote to memory of 3076	2312	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
PID 2312 wrote to memory of 816	2312	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe	chrome.exe
PID 2312 wrote to memory of 816	2312	2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe	chrome.exe
PID 816 wrote to memory of 2540	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 2540	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3580	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 1952	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 1952	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 728	816	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_405b858b85ebbdbeccdfcc5bde29b0a5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86fbab58,0x7ffe86fbab68,0x7ffe86fbab78
3⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:2
3⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:1
3⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:1
3⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:1
3⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4184 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4072 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:6068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:5664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:7072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4228 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:7080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:8
3⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1904,i,13976560142943026876,10396230409026590493,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5868

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b83a0bad4003ec67e8e8dea20ecfdf76

SHA1
456ea8a16dad19b02b894fb732c2c0592d961e0e

SHA256
389627158f817682b7442658363b8e7f80f7b4fd60a0c047584dfcdc3c0344ad

SHA512
f186bb713de58fb6bbef295b9351671743dc5b44231001a8578cb8448ef61f5b531065140d7a8ebd39720748dba7521a491852c17e0c00aa4af99e6b211867f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b97cbd6decb4f6519aee1578080c8931

SHA1
3a4dadc79b5a5d80265f4ef1fadb8135cff46ea1

SHA256
7fbdae493907d56c5f84bc4650114decb5e62e984ea3e193dc60843590a8fa10

SHA512
cd38fa68b52363a9dd4e189f8e8729e8938d27d3144e09b3714df9940c4abf5b75142c96585d20b15d7ce219d073849fdc53500882971082bc08a7e335f6fca3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0e9c9e35c79bff1f59e663fedcf083f0

SHA1
65cacddf09a7ac22ba6607c5c86bcb81e9265dd0

SHA256
0fb415e31afea1266b70f6f826fa5078cfa2adf54aee0703e9b1513090fe9e28

SHA512
b6c96f71310ac2479b58f3b933e4ab0d83e70f053e3c788d30bdd23a4b11dd951a259a25aec194cbac05d57ebfc37e2875139052a89f3cc39e72d769deb2bc41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9bd87309d3df772fea4da93bce240820

SHA1
92a9acf30c10f0f8073c148fdeb07569fa387ee3

SHA256
cf0ab162a0668793c55f21914f663846bdfc679810dbbb38a9ecb33655731b68

SHA512
dda6335b1dcc8d9db942f679bcdc4a5109fad4aef11e4cd2ef6e3a2540fdd6aa755cb019b8aca20ece64ec3d9073e32899fd35c537e23be6043ba6dbe71bfa65

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
b9831d997e9fded7982997818f355e15

SHA1
7f6ba8f35c6e61246a8a796e80e7ac90dfcda0c0

SHA256
e753d6c4610f949ebd4eba4f6ecdc869d67e2b825414f6314adff7969f82f5d7

SHA512
1f4e90762e6ec804bd4a12c1867b50eef9e1701f0a025e9e4deb634ff858c58121d0d32eeba5d822bdb9325f35baf61cbd79bfd359d8baca007c2046c35250b1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\fe0d1df9-b349-4742-8814-610ccfc75fe8.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\93af99f9-f839-48c5-ac91-43745f1a7ca2.tmp
Filesize
91KB

MD5
9a67b07979a5898022e95066e279a954

SHA1
45b1342d1e987eea3f0adc13fb1608bf4afa5e66

SHA256
aeec484a04aecb64bb04c2a5f91a7961208f4c22e08b5331dc22943604b3b90e

SHA512
3c79a2d900c8af94a26dc62ed8c84a0f175a675b641325d2de62c03ad4a8a76e3ea69d37f3e2a89229518b253da8509235d419e87dc31da11f9b49cba9915bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ae923229cd060e77128454dd645c609d

SHA1
13c9eae81317cdba259fba24920553d053f695ff

SHA256
f1f48a11664e84d38eb30626e78dc122dd718faf7e07bd856adb2fd0afb145e2

SHA512
22307e7402007c70b0092368b3702eff644a32f8da4c89097640ce08c0fe38b1a6e05f6ce6314b6c4709e95bb213063c77f2d6b2fddb24f95882695c5ddea8db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
c5e786ff4a236255ce0c910a20df25c5

SHA1
1f2b988f69f16ef94fd8cdc69b6183b2236857db

SHA256
647a15d333785ba6d3994b5bd2d95a80a4494297a34a333d992d135a0cf2d63f

SHA512
047faaf83e273ee50ba8eb880b478db2cd89432851b889f073f9078d8d9c2a0e4c62d09903ed82140f754c7e486b37d9e89aaad27dea5d8f3538d44145c8910d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
45c549a7cb6937490aa8f5d7599e9eea

SHA1
16c5d49188b3e642368688545fa86f2771b00a88

SHA256
0a8a6f1b9069c4a7b42f1abcf1d66949ce9e6cbc32a516321208f028ec483c7a

SHA512
bdd646d202fd039907cc231fd7f88007741c4fa780d8cc20152275bde9a8f734f68f37741625b238178bdebc6e1cc02d1416002b6e83e31a1ee8f6714a46e9af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5773c8.TMP
Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
67163456e73e7ac5d6287c91935f6c52

SHA1
79d26cd61f0481a28a67e127c62e09edbeeb9eb3

SHA256
b0e69ce613543ad01e916d3e0e83ca931a7fbafc53e64bc09790b16c2803eea3

SHA512
9fbf5cd41d95bfd911eb960832b21ff8ddb5f1f1f4b140ee50ded4740bb6fbf809baa22f17d8836e41285c767cf9177988f47c3d52362772548e3294b8a359be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
a06ab77a9a5d4728ca73846438872923

SHA1
a072da69718524163db4df01fa805efd26c5f878

SHA256
3c6e9de3a5b3f4a2aa3569b67584ed5f765cdd17b7898bcca8f3a4173729e307

SHA512
0712e51551eab9622716901118f5c33bf6a317a54a4bbc39f3579741e7cef9d72535d70e8523829497ddce9dc51f6dc9ecd4826a83db9f3d68bcf3acf108c26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
eb0426eaa21ddcd216863ae75acc7848

SHA1
1401fd2672e3f5b0362f3e52bd8b3cbe78a5e259

SHA256
68353b94933e45ec38d43a79c176c98f90e345f5e9e735cfc060b2af5ca9857c

SHA512
12fa4d7e8cd9971c1d650de3fe7c05677527f0cbb4276552d8e7c6271e3c30a44b9583e4f7a262c6c510173df7a90380dd1d64552d420ed225651573cb9642fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
c7b3eb3cca62f9394e2d726cb9ef7cc8

SHA1
c867cb03c009ef4d5e617c539251fb1f7220b63e

SHA256
6517490ee1b46b6b32bed0d4a71410ee8136e8c19e5dcea59c71d0fda56cb044

SHA512
a9a48bc1e430e8d95b5fae755b11b0122e7c8cda4a51f4c18026af3e4fa367f15994eb3c4c101409571163470c13d9ad5492b29b483ad0d4748e20174331c994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
ce08cca4edc2d4996b1f991f155c858b

SHA1
6ad47581133eca4735d7dbde1069925b8e4cf596

SHA256
52aca8d254a1dbc06792c08948bbfe8ee8f2a835af4504836b1ca65817d7c5dc

SHA512
df0cbb9b6eb24a6c48b6eb2782afda76fdcfd108848624b8d099e7c2c309580886336a12a3d0e1414cb0a51888352b137f6092542a77db62a32baa2386614f28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e8e9.TMP
Filesize
88KB

MD5
a53a31bc5efddaba059893c7ef5ab9ec

SHA1
9fce2d068f0ae07e9c622b893732cd4c667c0125

SHA256
c6d2e577b370088c55d3727e8bc2b6d3697ca933656745d9014f45371683e482

SHA512
f06776e7b345cc489990e989d13360c6e902b8bfbba963818ac751f7255b2c266cfeb79980ac5f335b2771c7fc284eb5e67834100127ece3241a98d9bd5873f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
cdc39d4e9950ad110b2b18a859d917f1

SHA1
bda00fef80e412d29c977413d2b9601d19e97fa2

SHA256
4bdd82da0ff41b52ca773901aeabd28d6d6d569bb4f1f47d0ef5cbdff90d7c6d

SHA512
3029e9f326ee8629ef89b66178fe6eba99309650e25f768f552a19826dd3f550f2a7bed23f9d9306737e0809e3e84a3e97b6be0a8160ace02cfe333d4cf36e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
bf3b8349bb12aced2d9030a6b33d4f73

SHA1
87a23758423b78f481d77c900663d43987d8813e

SHA256
abaf3751fbd83dbc80151d8bcef5f316a4a8d00573cfe048285ee711f2ab8a2d

SHA512
534130c52110b69e71a2917110c878ba2421e0cdbe6ca08cc79974930961539f93190c78d6e0a085275c98ed20780c5423aeceae42f005efa54516294196640b

Download Submit
C:\Users\Admin\AppData\Roaming\3c37074bc3136770.bin
Filesize
12KB

MD5
0726ccdfddb6c334c98dfbf296be3877

SHA1
3d2e4e3d3a3df07984b201320ae07b65055d41c8

SHA256
03ddabbcd65bbb103111bdac2b742bf50817d0916a2a14848c2e00beef81a788

SHA512
3396541ab2ce63e65da8a3805e62f20b19648353d175d373298b3780b332d7eab7ad9a6dac6a70912da9a1d5144de1ae7793fbfcc835103b011cc33c32b586a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
410dc49ae90d3123c41b715a0a77fa16

SHA1
367c5a4edd3ad479a5835a158b77f89cb7119829

SHA256
dc741f9298fd48364a6ffdbc8dc2d169b3ac5d147c258ed86833c19ee0b17642

SHA512
23efb204efcfe84ff6ad63311b01156317e9beee90f13d0f50fbc492c08c919208c3164041713b85b7dc4087311ca503fb5a00b268019aebc5e15443ce6f27fc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ccadb79de6a57bfb9b36383240377625

SHA1
fe65777c28ff4536773a8064bb7ba240ae38d007

SHA256
54114a82aaf8034bb252babe1d925b9088b12c1faf186b507323e02080885040

SHA512
3ca9d6f01e78d110b12929b7d24d51e78e089cbc993237ff17590e73664894d653ec3a1414acc7cea5f5e00c8ce42450a1bff78ca2df1042f8d4d94be81646c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
506f014d67aa06ba7a3776028e190890

SHA1
9aaa5a22a9a5191419e187bb496289a894b9fd2b

SHA256
3fc3afdc91fb0313f9a7adc6036d1151f028ae85dafb597174ef9fc5982370fc

SHA512
f771b77efd789e15fc91f35453893091a84e8a0e2bccbb85e67689ca3443cfa7d8cfd0636b7f3d54cd3e1960f5078d07dd1fece0a7ee2f1fd5f51b59add9ed48

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d4c80b03f75746c8bcd16e474d7e0d48

SHA1
56fb7f0d222fb1a724639a926635c68ff19e9a62

SHA256
f152f5ab4ab9163a582fa073badbb6a0347f202de58f6b0ccfeaa4e12d545027

SHA512
efd4f523e470ad3677d97b3c54b56721b465c82ae3c74ea16e362eebbcc34723778b4a64b3ceabfd02faae58b8507caf064aac09846c0809a98bddbe093d65c4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
e7296acb25a66c306fc807ce73220968

SHA1
03ccfc0ccb7d94c41c64018c11642697d0d50ba6

SHA256
5ce93d74262058527b08e129d7f2ddcb1fa22252dd177c853080359663a7c5c4

SHA512
f89467de4643d0965439458c27dd43ceb53bb010fa86a4025f047610decbd4979d66df17c20f59f0d32534c1eb8a21090c7c8b7905299642bc0250b91838ac31

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
3d05d57e193c656b0694746e8370a3ba

SHA1
adfc16e0ff42aa7db6005c526a1d94830d796320

SHA256
8bc241c5f6fd8a6dc252f1891dd004bf9a30a552171795846ae59b5dd30b8756

SHA512
6f54bb9d065462f671c5fb0587d04bd84e5a24e63f78ecbb3c66b51c777cabddb7f80da9a62085ecf1c14c3a4cc311dbf0c5b5ffc7f9f9f17968c44b5b45387c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ce9f912c5eae55e74d40244a0e2a3347

SHA1
d62f696e443f74d1933391fbdd253c5366b6d6e8

SHA256
6f6b51c19964fdf2bad4b47344a9a13ec42ee43c00f75f0beca74306629b7542

SHA512
b25e8fbd6e24994449ced7905fd43de14d98b30ce23f6ae417ed2d5da3c2946535031f89afb8460a954837a8a2cd7ca5758715adef1dd668068dd425ee414d1a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ab8255250689171761c5bb70ac51ac62

SHA1
927c16414e0b3c4b6514f4e02a4b428935f1569e

SHA256
96feef7248834c17373626c07f13453520b8197bb78319fa6f39ab45c69936eb

SHA512
51504ac538b712b42f68e080815683d46cbb6924a2a2498502ebba7ab0973769c25da3c784d7959620ef8ca1ed2f1d8328fdcf3a7bf4666440d2cfb1b653cbde

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9d7eacafa5e70a71bca9fdd0bcc1c6d3

SHA1
4cff79ec4b371a5fb2bd59a023f43939ad0574f9

SHA256
815a40177b12e9d3747b7a5801070a693b8469023f53fbb2fa092c46d3e4de14

SHA512
f622aa65bb5a6b3beca21f148f193d8019972c908ae01cb8d7438a4e97e7d60186f5b15feb1754c9fe9c11106846a28bbb47b726234f894bd06c0b5be2cb5578

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fb121bffde666edda9058417957e7d86

SHA1
7f6223c9a245ec08d4f0fb6859530002ce2f3acc

SHA256
29335d3c9f3a30a9de471291dcb4311ee73b092e2a538fa2e6f463e67edc04f5

SHA512
45d0fa22d9bb7f8b9aa380dff9e1d52973cd1ed0f267df2fe6ca916c9e1cbb2c2d4232c010c650f0cfd396fd78c56dd37d7de22dfd5a3dd8740b1d24f7716337

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5c5b9fce4c86489b63ae9e03baece3f3

SHA1
b3fd155d9d72f47e2ea935ff3b41716f23fa52d1

SHA256
daa15fdb9e0e7cc23067e0af2ddaa512ba593c0b076890341bcc01b35b556d4f

SHA512
c501760ea66653aad24c9478a5294e0f5ccb095c387447dc15c4a462e19d859d150541e7386f74ba31f6e206693eca4e56b121b00bc381e5fb086c7ddc203fb6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
1a6df3ece8545336a7de204bee14afd5

SHA1
2387761f8ee89f8e4b46ee6cca504ea94816e1f9

SHA256
59a1c3a0399573de8100e85bb2104ce5873cb99466bfc7e50483ed33df0c7227

SHA512
44e0976ae8b3e5328e4ebb22028b05a90a0778dd6b7bcc7e97cffe6ef9ee86e406dcdefc1aadd3f9d6aeddb3d522c7a33b5bc15ccdad81ab95c344c3094c2453

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2aa0fc07273361e09b44ca04d3a1ee9a

SHA1
a1349c090f8786e39ff9842c3fc2a7089ba62399

SHA256
eb37294d4a3688ddb02b9e6c27a6b7faa943a0a6823dc8d22ab87437303df551

SHA512
19759c44181bab511b03570f1b8fd513575c35be7b07dbae5bcce097e03bdaa2936882cff1a9e79842a5c39fd720acce4ce9ade4301caae5c596366c9f798133

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
9ad511209cd3960bca880e19ac0e856f

SHA1
a7b577675bef742f56222380bcaa7fa3191cf64f

SHA256
4345a30520b2466363081ef324ca36d69cc606d83b9fae9a14a37b0e5c271a1b

SHA512
a76aff0b957c6e63abc8dcfadd77f2bd1f5d5ab49a9c4c75915a096eb9f9c42805a1780d68e0e5bb9783a3bea53a65732ed465f11bad4fd336a3d25d11e9b2b6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
d7584c4a2a2ddbfd2b90da53cadbbe96

SHA1
dd67bdfb867dad1224c147749d624747ffe2a984

SHA256
626c7ff0cdf5d1876dcef979af4445f7ea4d1078ec0019e21d27687179df1e5c

SHA512
aff4e0378419fe0c5f7aa8fb4f0b5d6ca924a9ca5171eaaced2802de56eefe33ffcabc09a2a71c4c7d62d70b4efe575c7efe7c93a9f39aff9be530e44584cfad

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
386089ac3d4f4feaf395aa3297d53eb8

SHA1
373ca647248eb837cae87cfc47585f8c806725cf

SHA256
478b74547fee6d30e702c9d9c275b44a8c66ae3235f8db2deaa164c811e6ddcd

SHA512
ced6a6c47b4b5eceb6251e30a4daa1f12de7dc63c526c001b66e31679b976d5b54fdfb208e72c903bd9bf569eae398b6d69ded07e2a0ec9d3ec8e193e753c62d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
eb578d857f4b3a304b4282ab4b7d3fd8

SHA1
e9d5438c553c54afa4a0d86b2fbd4045eb607b8c

SHA256
01c9928dd29000f6fb2693b772bb07267e28bc6fcd3033da0da6ba127f4b76f4

SHA512
ffb53cf06c9b2516938908be999f1034b5f47f07782ab93046cc5520aa6ea9482da366877add9b5ebc194307027ca21630f52389acf98885f31ad59b414daf5d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c3a1d41e7d650b47cdb11756b3d6b1bb

SHA1
543db1ea3e5b42f8e5cbcd39f3b03719acc51cfa

SHA256
58060017a0682e1982d576d260c96e47145396ad7a945c2f8bc75a11329c81ea

SHA512
5264ee38898c29d19f3400a346792f0f883c858c93fe2f42e571ae801d04f57298348864c31fdfe04234bd282be23ef995531f653eb597ede45d76aeef6e42fe

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
\??\pipe\crashpad_816_YAMHURAPESYSDWFL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/448-276-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1044-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1064-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1632-278-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2076-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2076-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2312-9-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2312-7-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2312-6-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2312-22-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2312-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2312-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3044-72-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3044-53-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3044-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3044-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3076-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-624-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-18-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3076-12-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3272-284-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3648-446-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3648-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3648-269-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3716-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3816-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3816-86-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3852-274-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3884-283-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3912-285-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3912-635-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4316-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4316-267-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4316-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4348-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-286-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-268-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-634-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4544-277-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4620-266-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4620-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4620-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4760-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4796-272-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4852-271-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4908-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5228-546-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5228-637-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5628-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5628-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5740-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5740-708-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-523-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download