59270302defa09612f38b6fb40736a592af39d0b6454ab0735e1f3a1476a0edf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
Size

5.5MB
MD5

bdd360b7202dd6cfd047c3c525c11a18
SHA1

d1b35f941ae9926163666847e169be5295837a0e
SHA256

59270302defa09612f38b6fb40736a592af39d0b6454ab0735e1f3a1476a0edf
SHA512

7a1a93947c20da22e994f0faab075d072f247cd81e399de3bacd22ccd4e43cf0d06c2f82d2cde4173b9d6a96db97d3d598eef6c71aae18ad5fc6dc6379053221
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfq:WAI5pAdV9n9tbnR1VgBVm4t2sEE5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2776	alg.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
2084	fxssvc.exe
2664	elevation_service.exe
4464	elevation_service.exe
836	maintenanceservice.exe
4792	msdtc.exe
4820	OSE.EXE
1508	PerceptionSimulationService.exe
1800	perfhost.exe
1872	locator.exe
4340	SensorDataService.exe
464	snmptrap.exe
4656	spectrum.exe
4928	ssh-agent.exe
2296	TieringEngineService.exe
1480	AgentService.exe
4556	vds.exe
2456	vssvc.exe
3972	wbengine.exe
3200	WmiApSrv.exe
4796	SearchIndexer.exe
6040	chrmstp.exe
744	chrmstp.exe
5320	chrmstp.exe
5480	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae994804b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd4ede9604aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce992a9704aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610473500747536"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fecdb9604aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e17c4a9604aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4de6b9604aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efe3959704aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2b3a29604aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3472 chrome.exe
3472 chrome.exe
4568 chrome.exe
4568 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3472 chrome.exe
3472 chrome.exe
3472 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3472	chrome.exe
3472	chrome.exe
4568	chrome.exe
4568	chrome.exe

pid	process
652
652

pid	process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3360	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
Token: SeTakeOwnershipPrivilege	1900	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
Token: SeAuditPrivilege	2084	fxssvc.exe
Token: SeRestorePrivilege	2296	TieringEngineService.exe
Token: SeManageVolumePrivilege	2296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1480	AgentService.exe
Token: SeBackupPrivilege	2456	vssvc.exe
Token: SeRestorePrivilege	2456	vssvc.exe
Token: SeAuditPrivilege	2456	vssvc.exe
Token: SeBackupPrivilege	3972	wbengine.exe
Token: SeRestorePrivilege	3972	wbengine.exe
Token: SeSecurityPrivilege	3972	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3472 chrome.exe
3472 chrome.exe
3472 chrome.exe
5320 chrmstp.exe

pid	process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
5320	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exechrome.exe

description	pid	process	target process
PID 3360 wrote to memory of 1900	3360	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
PID 3360 wrote to memory of 1900	3360	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
PID 3360 wrote to memory of 3472	3360	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe	chrome.exe
PID 3360 wrote to memory of 3472	3360	2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe	chrome.exe
PID 3472 wrote to memory of 3392	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 3392	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 212	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 3560	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 3560	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe
PID 3472 wrote to memory of 220	3472	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_bdd360b7202dd6cfd047c3c525c11a18_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff824c3ab58,0x7ff824c3ab68,0x7ff824c3ab78
3⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:2
3⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:1
3⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:1
3⤵
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:1
3⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4356 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:5940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5320

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:8
3⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1884,i,1322580248543876332,9580411914874839587,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2920

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2980

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
472ae39b4cd198d17ee9fffe16a476b4

SHA1
63d65c0774d5f4e971b8b3dc13c04d6552affc30

SHA256
53d3389ca05426a5d327d66b23a9409c0312649df7fc97ac2deab8b1875d3aa6

SHA512
835b8a78325af54381bbfb8060429d03dddf91919b405ab1406042c9d5dbdeb9c558122c7005d104d2020142ca31ec774e8f80a13d990d7c64fcc514948b7c74

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.3MB

MD5
f9b56c13473c13424940f649322f5768

SHA1
7c1044d5a370370c8fe9c64eef93f93f2e47697d

SHA256
d044c7cab5329812e1ffd7fc2d22f18900dcc6069ec44b4050eb6d7a9db098d6

SHA512
74a55a310b87e709b1a190e89e78b0d26296d52265580a15fb2804b482a04d04d1d28694b65a2949c76aa3838f7471b6a1224b58278c8317eefeeaa55efafeb8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
99eba0584b757c4c791679e15d9e5d36

SHA1
d6c2a8d296a346ca42c17ac1c638e9100f37580a

SHA256
8ca583753de40c9e67e181368df44b564c2d22eb5752824ba37d5c98f21d2054

SHA512
0bb10237edc1b6b07c06276ea1020e802dfe959b6692151b43c553550d7abf9478bdc630a23c07c73d1cf50f62f388a1e9254d96440f1ccab8566ffca5133d9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
0ab2945895195684fa02da8bff4381c5

SHA1
c7b04f406c1a0c789aac46dba5c04ae62910ea6a

SHA256
84c3cee941ee6bd6fcaef8894cdfe8941491b8369c11b6fdda97baa409b1e33b

SHA512
fc45ef215a8c029cecce0a8e97154460f0df45f8d3af0ffe035ad3f5ac312ac967e9b59b2268c4a1ccef3b7e3093fa47a179996425839e0bd317d67236bf9fd4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7423b5ea2f78b62933c1e2c016416aea

SHA1
d18254c694e5a5e44fad90f3b8b9cbdb7d7413ad

SHA256
799ca1a2d7d166eb3e4dfdae7e67dc403663eccea3b05bb00c1bf37bea905e5c

SHA512
24990b755e35000b17783b19ddbbe313d482c6a206d3d915b34d2dcb9b2f1b9cca1ed9f955d8a10968cf7818537ca5d1a2cdfd80ec92a50f82fa6d156d73a7d0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dfb97d0e-fde0-4b1d-9632-150b2428d77b.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
3db1a5e30c583f39992ce0976b067e43

SHA1
0edaeab452e4b959b0d770c222a130a82308c902

SHA256
13b01fc8967c0a797a2b0200eaebf73c12f1ae3feacb25493dbb33921f489a7b

SHA512
4b82f747348089d842e5adcfab52ee461ba41fe2d9a53ef100ff8cc0283829c0eb3bd6d145ce427a03663638261736be9c24de47f2e10e93d14d6eab07b869ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
bb316a499c8bafc9c0dd6a4675db8de4

SHA1
a3c746ed91335cb500fd2eb87eaf8dc86ad36bde

SHA256
8db1f07fe849ada06bac93f9033f22005171f7e3a6b7fdcadbe0fcae70186062

SHA512
ec68b89bb08b2a970165843292fa08730ab366f7df5086210339334a42353c2f0b238ddc9716b1b5d3fb5aed0dce4c86ea80daae81b7b661c48461fa16173052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
d42f1241a9e68b4cc772645ec454a479

SHA1
9cea187c6e6cf9116b25064a57e519df803cfdd8

SHA256
aa3765323eacae3fa2285757e183c31859810e8107aef028e740e88757472215

SHA512
91296894955b5d017b845dfc75bfa36f8071e622c9889a28ea89bb1cfdd0f4c35915c96ce35356f8efd52b92fa11bfd21183913f9c4edfccd5a19b3663c386da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
34KB

MD5
a5ba1111235e1b0947943be535d4e4e6

SHA1
f2df30bf8a25a21b7b2f61d7b5e902440ad1628b

SHA256
76108320ca4f96b7b02f5fed4b16687807f63d4d629d7988aa8f0ef75b13cb4e

SHA512
747a8e306d543b83b265585a2100ee50e846d633a31bee70fce894caea2d680e3c2577689a646070d2275ce8538bd692c0c00e7825c6834b27e3889a5f294365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
be0ff0bcac22fe78e5c0ee7f1ff39ca2

SHA1
db103897635bde6d9d869252e4eec6902e45d346

SHA256
c809d501b3e2bccc09b2ca7e318ffc613d615e4126d29c92a4022eda70df47bb

SHA512
09856cf11309f8ffdb3f6043a21c547bce6b64952e1bc58f3290b285bc2388ed1ce253041fd511d77c24541626dc05023419ed555fa7a79fc8724f2e23485a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b14b0c8131f55feba5c6377a1dbdb9e9

SHA1
8d75f5c7857d079ad44bc7c469bb3f7c32087c86

SHA256
3936a3557ad713dec25318d59d91a0f950947be963d4c82e9ae23f4e5e1d62a9

SHA512
c60d1e42af8784cb770a3b0f979df37ace52e0a2cdc4ad5eb4674597580b6dc39d3cf59c36f1a614d549e77baf49388a6fe6abf083f0ac29d80bf20a2421627e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4eca479fa60670ac1a62fc1d1521bf11

SHA1
61d66efdf73121796466b865bc3f492f890faec7

SHA256
44e7500cdadb27b21938dbce0793d7eb58b12b77830c828f5008cbad827ca181

SHA512
0cde179b66f097db3b690b1fe9a563939ed8c5c3806d2ecff8cb0bde6c35fe3c2928b72cbe1cd68224f84ce11da5396abe5b57fb827d8547e4995aa3d41bd2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578405.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ab7c6aff4fd795623907deb2d60ccfc9

SHA1
2ac69134b4c99459c3bf493794966c41a68032e3

SHA256
61cd091e2214027322d3977a555f65d28e0fc81db69f19124716036ab80b8df5

SHA512
e01d79c1dada9578fd1088e24b9a7a6b45b2828a857296a43069afb5e247df74e53ce20bfe6e7f2a71082b7f0c4e7cb373d245c392bd0c6ecd4e8104863e8728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
8e282c9c34be2c11eef6419846b83393

SHA1
b171dc47d5f785249bdcb195bdb1ee1688b55a99

SHA256
95b1142660fd2ea219c73bf5e7e02d011c0995a88afb037b5c020c17309713bf

SHA512
db2382b93149470ecbc8e0638d0519a0921b6ddcdcb0a38e3e99014206ec979f41c44f9cdf1392a6d386ecc2a555ec988dadb034ab56272562f33b313724aa0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
6c042488a5d2901efd824cd0a0e557fb

SHA1
587470ca7809e5560117b1baea9b40e5c8745931

SHA256
70fb48f57b0a72603bfcef7c37592d731470c1b7e66b2963b31844a4e46836db

SHA512
8494764e845bc92b1b7d0c21530ff7a9a97faec7783f20519f2838fd68bb7ed49f7864d77071247a689e9b1daf3d5d9f234b248c425fe32b0b24929274593e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
125d06d34783894e64d9ae2f878312d2

SHA1
9305316054f1cd0e138672917b55bbcbf6a06153

SHA256
1aca78d1b14bffefb86b4f632cead8aa1c3bee066fbbb8b154b8168abee111a4

SHA512
e9386fc0cba528e4a30da773567b1372d4f2d2991fdf8505b9c4fcaf5fe9d444a58bbe4e418ead938f0225fa241e9fab41a208785597b392480e8d2004762f55

Download Submit
C:\Users\Admin\AppData\Roaming\ae994804b4b1389a.bin
Filesize
12KB

MD5
28447f53a0eb0576e0f9b1485b7efa6b

SHA1
00e63300546c263b52b92102ef8a20501359a008

SHA256
30681a0b8b8c8bc5f55e1321f8873d7902d7ef52970d1219d6dd47ad38682c3e

SHA512
89ab7121dc2cd4028337c732d434c4e791b8e177b14aa1d5ca9bac5b9eb8b7fb3ae3747900c84de93b313517dfa8fc48d5e40499ad02e13acaa202e0dd2f584e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.1MB

MD5
0a66785ddc4a0a89d9b2b33ae99c9dbb

SHA1
456603b5800675b7b16627e34d321953f2b07a58

SHA256
e30b23a9cbf19d36fd46e7187060f362fd9e6dfaadebff6f3e04ced30f9c4315

SHA512
d0152839b2738bb96df9418f35cfad01d8da0004889a4b58b23727697ab3e72ceca4c75ce72d5b8722b023e8f752057533f6067a0d6c8dd4ed894d389caae1e2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
bfbe5871ec77f2bcc3793aeee1e4b445

SHA1
25b8829a98b230e9c563a52bae339062302d3a85

SHA256
313e0da66f0d10bbad19c35e20759dab300330630a04cc5d6118ef40f54775db

SHA512
f1216ad21c626f22d9eded332ad51da7682b4c166d08f88dea7eae18db1062a43ebdd028f8b150f7bbcb494245f2e01b9944ef4a553ffd9c1ab40aeb649f939c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
c0e4b2c736e14e70bda9bcc6a2ff0563

SHA1
6b2fd812836808e363a64a2a1671d010e5368533

SHA256
9fc2b6a559c6e340b7ec0b11164b9bb17194e0690e0ed4c919d0c6d33adda083

SHA512
3a279b391fb2b0f9c88c7fdcaed502c3e46f36091d6ea49d7c622400d7d97d8546d92705c3f552fe8d9c2b08099c7c0d5d41813e40ed5fda6265187bfc4ea375

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f8527e372f681068ff31198da021ea79

SHA1
b289e76560f2024bb1bdfa866376b161351e7b6e

SHA256
4996e27581917d480b21c2ab2472ff0373ffce995639192c739c81d456fb9526

SHA512
97d015aaaf363694129d4f8525775a28c3ee1959c03368bf1c09e428555af8b71d9d8e4b3992e35d3e0d3298153096394393e21915b293a2516fba958de1fce5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
04eac6de7d3f4d073650f455f08d5807

SHA1
04ad53a46fa75f96dedc1781faa41cbe4ed7c811

SHA256
91ba1f58e5e4df1b816790ea04651f04ea49c2001fef47bd5cbc5889bcaffdab

SHA512
6c3eec4afb73b82a1c72ef7fa263f9574a943825902f3749dabef7b884093af44ac3508b94dc1774bd23386436b08ea03fc45a287e0e37876f26e85e40badd3e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
b333d8ec6663427eb8e8c6a25af2c5c0

SHA1
e110678bdcd88adae657928b4d3a5447956704de

SHA256
a0af261c36afed4d465da1b027481fd9fc6e57d46d13a7c80f69d2fc05e75413

SHA512
10214c154cb244b6a58f35992fd7c44f3f373b0ea0cc7036f4881fb4420e88d66386f7b5a88324f7e9e60700fd2822749e46f1362fcba8886036d7ab50a1c3e0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
d3a1ab51063553ffce9a12661f933ab7

SHA1
fa7918ad6f2e5730b147896831c8e98862d6f097

SHA256
8549998a55af18023f13a3f7665766eb3a6fb95a2bcfde112bf32e182fa9e56b

SHA512
2291f421f28276bc979108857815cf772bf4aa47f42c2c1e763ff92922b2c3e3436f9dea006affe8610de7fee0ecf322a836a52750081c943e6db546fb3440ba

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3fb540f3af5fce76899e972a0ec0be2b

SHA1
fca537ccbd5a79fe047532c4213cda22607b3e95

SHA256
1bea3588456abd5719421220eed017a7c2bb1efc946ee170dbd2f406b3a30d36

SHA512
d7b731b0b90108ba0430a06bed62dff90c2f12a4aa971fcacb5ffc62f97845885461841031a695e27be54eb5383b766351db6b0d0ec4418433b28b494da7b0f3

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
42e7e9b0eba11253ab87c37ed33f12af

SHA1
c15c752fc7aaf2f8423a98489b885870565203e2

SHA256
8b59951a79199669685e3ceb01f516d70f2ac2aee257fcf8879086e1392de1ee

SHA512
a6fbab5f80ba51eca9247c9fd5d9e8a680a5d9170fa62796b45e659b5ce9481a5c12b4f843eb7857f001c9dc9955c27a03db5b47b9c61770987fa77dd1703f67

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e4b9260cc647def661cc09400a88cdca

SHA1
486206911a62b24fe7c555efa715cfd6c10fb9b4

SHA256
05866ca7387c1589b7cfe683ee4930884f0f320e4f52fa1bf14a9b76f3d959ef

SHA512
c2a127756ca0b8220ecbd64fb8995398d97027e8ea3b3773f1fc24ff9fc3c7a3140d6d818924f154c45ae134ddcf0e643f0db34f9bafee51235d93699ca415af

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
5e37321260580a9557070c77a20eed06

SHA1
a519078adc3736e473c4af2e7e252af95df5524a

SHA256
740dbeab35ccc49ecd7a45caa5bf7ca98b271bc8ded34317d941196b125eccf1

SHA512
84867bac3455da2aced8db310079b3229fd9f09ee36c18ecd6c1326b5e711193a30e44ae905b75e8e122b4bd299170c5fa9aea8d9f2ee2473da4efcc8ef1173d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
7aeef4107fee691e54d67220cd6ff847

SHA1
0620b8ccd44e9d693878dfab38cfa5fd81f53875

SHA256
f92997adf2277f21b185a4404c03427104c99b2c70fd7ce66d349c0cf9b33777

SHA512
d124399bb19edf16b4cbfdd3661204cfb4ee9fc1b7b4b59f7ee81505f14eb11b1207d3fc753cac7f7c8032005903b175395e215bb4cf4c28b75d4448acfe56c0

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
6ebd640010bb685e6ec2184b5eb5a662

SHA1
7e5510af36d99297ec53dbb6d2e57a78db4ce96c

SHA256
3ac301aa3251bc82ac8bee2d6c19a290e66a6a37ad16afb9abcda0f5d1adfd1b

SHA512
56a7ef2153cb1b56a7dfe3cf5a7fd6c84e97f7d2275a3c96da905cc9bc1a994138861bb37d4ad4d859e80ac84c4b33d934ad1ce8f033439a56acf4d6a5c378dc

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.2MB

MD5
c40ca5debeb6ada72b736c704a2af5a0

SHA1
a7eba0b1a9f487849097cf38477301dbbf6e49cc

SHA256
5f7b5c93722d7afbb92eafe2398d55ec88c9323235bc338882fb57ba2b9b24f7

SHA512
eb2e1714a224f41993b7bab072d3011d783a6b0cc2995cd989473d7a1e081621ed31b5b1096550ae1abeffa327e9c010bf5f5684b0afc9403f62b418d75c25d4

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
364cdb130d9cd56cfb7e0cbb8ed5accf

SHA1
492c8988c9090086b9f2f05d18c13dc2c488d2c0

SHA256
fe3397b45ef0a5dcbff5c24f0e108f934b70e6441d88eac3a1023bfbefde2fe2

SHA512
3be570f81d1f0a26469479c17382056aaaad6b6c7e01430b4601c6bd185f574ac1eb35b120a6652be34bf9d9075b1f2709f2e6cb97434eeacde9c576b124a946

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b52a11206da5338147ca9cbf04daaf7a

SHA1
533071a6768c02c33f45c59160252d99f7c8ee62

SHA256
b1d0c7c613ed6aa42b2c6e3c493c3e98f741c8537e52a8577d3b7f34ac99b685

SHA512
551681b2d3d56b5e65b72f196d6e631e07cc93da94d169a0f6c616f5cfbe03b26cf700310cce17e9ad9d9f1083668b0b3d41bb3711e9b87736f46d9a2e11eced

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
e3ab89bf8c8c3a808ee51fd6afeb9124

SHA1
943558f0086c656267eb4ca4fc2ad7f2b226df45

SHA256
53bc6292bde605ec4794a07b2901ba8ef7315ecc7f41629a21bc0a00875864cb

SHA512
68fb2b09bf21cd6b5d2f65936ff5ad35eb7fd848101a73c9e77acf4e0f2ad6bef6686a826795c0bd701b2753d92ae473d737e36781bab1d3b8a31c0a9eedbd94

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
be470f33365c57517105212dc5b3d727

SHA1
b9099bb4ffa0289bcc92710937a07f471bff51ac

SHA256
5fd4a4f9386208fdbf39970180792f57dfaad3b9c0a5f7a70b8f745c4ab77540

SHA512
fc56fe4fc85ca3f2bed424ecd9f72df93927a0ed4735e6c3f193f6bf0bc49b71960e98ce19dea93891403f1bc7090f6d80eb43562a30ee8ae19a713c4c8e7580

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
\??\pipe\crashpad_3472_PNKJJDQRVBTGHKRC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/464-369-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/744-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/744-734-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/836-89-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/836-100-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1480-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1508-362-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1800-364-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1872-366-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/1900-12-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1900-21-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1900-605-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1900-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2084-62-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2084-56-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2084-75-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2084-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-374-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2456-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2664-356-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2664-497-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2664-66-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2664-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2776-634-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2776-41-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2776-40-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2776-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3200-387-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3360-23-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3360-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3360-9-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3360-0-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3360-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3972-381-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4340-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4464-351-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-635-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4556-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-371-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4792-357-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4796-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-388-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4812-52-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4812-46-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4812-350-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4820-360-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4928-372-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/5320-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-778-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6040-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6040-598-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download