381c073aebea68fb91fa9b8d1c9c79a06d77860c6b5cfe7ae7791837e7401575

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
Size

5.5MB
MD5

7ad7425a3fa2bee69549c16fa53e33e5
SHA1

faed5f15ea34534162f5795186955d22b7d4bf3f
SHA256

381c073aebea68fb91fa9b8d1c9c79a06d77860c6b5cfe7ae7791837e7401575
SHA512

4192d66b3e71624d523d5d120ea40e12252dc1ff46a6e007ba13fd0c4cd5a676485b0a66aff70f3120671c9d15bd0e88b09d8fe513e1a5ca833ad0f8fce8ea85
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1tn9tJEUxDG0BYYrLA50IHLGfQ:WAI5pAdV/n9tbnR1VgBVm+QWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3320	alg.exe
3200	DiagnosticsHub.StandardCollector.Service.exe
5084	fxssvc.exe
5088	elevation_service.exe
2852	elevation_service.exe
3768	maintenanceservice.exe
1176	msdtc.exe
1568	OSE.EXE
4440	PerceptionSimulationService.exe
2808	perfhost.exe
4692	locator.exe
1172	SensorDataService.exe
1644	snmptrap.exe
2992	spectrum.exe
4116	ssh-agent.exe
3680	TieringEngineService.exe
4804	AgentService.exe
4800	vds.exe
224	vssvc.exe
3180	wbengine.exe
1120	WmiApSrv.exe
2164	SearchIndexer.exe
5936	chrmstp.exe
6056	chrmstp.exe
5256	chrmstp.exe
5316	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d559af5a1ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c16282e0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081f7662d0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d959692d0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a824982e0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e61742e0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d903b8250daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c8ce0250daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c16282e0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eb8c82d0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2968 chrome.exe
2968 chrome.exe
700 chrome.exe
700 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2968 chrome.exe
2968 chrome.exe
2968 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
2968	chrome.exe
2968	chrome.exe
700	chrome.exe
700	chrome.exe

pid	process
656
656

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3620	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
Token: SeTakeOwnershipPrivilege	3408	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
Token: SeAuditPrivilege	5084	fxssvc.exe
Token: SeRestorePrivilege	3680	TieringEngineService.exe
Token: SeManageVolumePrivilege	3680	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4804	AgentService.exe
Token: SeBackupPrivilege	224	vssvc.exe
Token: SeRestorePrivilege	224	vssvc.exe
Token: SeAuditPrivilege	224	vssvc.exe
Token: SeBackupPrivilege	3180	wbengine.exe
Token: SeRestorePrivilege	3180	wbengine.exe
Token: SeSecurityPrivilege	3180	wbengine.exe
Token: 33	2164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2968 chrome.exe
2968 chrome.exe
2968 chrome.exe
5256 chrmstp.exe

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
5256	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exechrome.exe

description	pid	process	target process
PID 3620 wrote to memory of 3408	3620	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
PID 3620 wrote to memory of 3408	3620	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
PID 3620 wrote to memory of 2968	3620	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe	chrome.exe
PID 3620 wrote to memory of 2968	3620	2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe	chrome.exe
PID 2968 wrote to memory of 4668	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4668	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3912	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3056	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3056	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4908	2968	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_7ad7425a3fa2bee69549c16fa53e33e5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcab50ab58,0x7ffcab50ab68,0x7ffcab50ab78
3⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:2
3⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:1
3⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:1
3⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:1
3⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:5788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:8
3⤵
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4140 --field-trial-handle=1908,i,645963186184425449,10393705235869425733,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5484

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
dc953069e0e7f42ed80b77f83d82d50d

SHA1
8c4f6ede20f3af0024675f73d8daf028e8d032ea

SHA256
c0d99334077c6bb4d81348f39650586568f3119053dae38fa3df16832910f93a

SHA512
e590b10ed3d951840f368049afb126199d6929cadbd517b1c602ca44b35b61b5176a9620dd6ffc5443964a28f7357b00f3e6ca0fda106487e98fd8df9c8231e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
141e698e792f43bca96956ed314cf012

SHA1
f396f199a56ea7a6a647dabdddaaa32e4728727c

SHA256
00c1edf5de42230238d4bb538177575caf83090b8fd8faa6b5244b5e564178ce

SHA512
68627c863f00b3ab722d6d687262c07215c68b601ce7006e2eb7d625840929a5ad4263cd56777681dc16cbacffb3b648700e0adfe379bf4f21f1c9ad8a979603

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
5094c783b6de81280fee0782223d75d3

SHA1
59860aa6adc73acb0a254c9d41b95627f9944080

SHA256
e79bfa50a3f7ee27c82c04161f5e8a9508227c602fcc2ec5c99cfec4c561d6eb

SHA512
9ff8f9c55fce98316aa9c5c948d82a8723480717761e86a295b4aa63c1b9b9b7c1b635db8482ac2c327afa0100d69441cb9805e1b766c36d5c3808a3a8ae5ebc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
59f1c43847ff3a8be8923ec8665f2afe

SHA1
5c8399177c3122aa8b779c3faffa30b7b3f8b288

SHA256
db3e885c9f869e5cbfbd3ea83cf7f4fc5323471564eaa006373148f8b95f3d3d

SHA512
668edaec16b955b9583b667531445a0e6c5f26d697912b019ada13829d17b1b7c40e83e3e4790ffb62fecf9694fe32fa7c4e9bb6d81f7f15b71f19aa1ed3b675

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7c178498ab8805bdc0c086af6ff194ea

SHA1
bcfb0422d94a374b24ed6d3544245813e64b0c16

SHA256
5e78f68c5eaec6ed7106561e9af4273503aec7d0c36581b82e3e809a32736938

SHA512
ac2badbaa135d9e4c181f0994ed0037a9da3a3a55c718c35d7fe5894ea588abac81d775924f9658ec88f5468004eb44c22b4f89f3ca6d5983c24f8fcb45c132d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8432dfbf-9cbd-48b1-a73b-51d49fe11c3c.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d2c544d9fb2ea639bde8b1220077bc09

SHA1
8cb22f430df61b351eb75f37c434b78aaecbbeff

SHA256
48cbfd5a9c4c882ddb400dcf5142081ea06210ed6c66ca9e05c93fc4bd36c9c3

SHA512
f81f7e0baef2068e265915eb6c6daaa6c7e770088b91ab7f585d3f604fda3b7e90f99ff8e12d54be6a308aa110098946f62d9feb89c52ab4a6950efdbc70cda9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
e3454504892ef830aeb3242022b5e948

SHA1
7934144738252d88ad20ae59158f044d42cfa7a2

SHA256
97f38a214160c4d9348c838e063380685ff780f11f5f738b29455875aeaea8a2

SHA512
dca6c69a6a766fda7175c3258794d0504b08950155c2681f90d0e25b9d9f3a8cbfa24fdc6dd84536adf894f0093d31e0322697df22804af35482787f171fdd31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6e5bbc60628d6fbaa3127eac1e9dfbb4

SHA1
9107d31a3a2e918ddace5d688ee93c71cd95baa0

SHA256
27b2bca5bc5d1fdf07f01c6a980c8b5e6bcb1c8806db9c97fe2064188a7d9cb8

SHA512
55e298034725f00addd91b7cff5625830caa646a07164bc65c6273abed1079c673a2466c05c734a8b39633b8584c4b6f6bc4d3410008f9783d33110110bc7efa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577dea.TMP
Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
24167d1e1d2ed1ddbb2cf05de3efb950

SHA1
1c498f3a133d4193b13c151e2b7de01e826649b1

SHA256
3f88b6da0466db00105f76ed0906cc9690fd274a406f2c9914378ceee6d5bf9e

SHA512
04b607db61358b0aed7215857fb9fafb7599af7c1efe85678ca66755c6dbe5aab79bb5ee4842c0636dcf2597578ef9109ceefd8f6af77e9a11f8ceb9821164fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
bb2ae59f21373dc3f601590ddd5eb056

SHA1
5eeed7ae89fc9aa2dd6b513ae1ccf937373e7606

SHA256
4845680646e1f811e7a4667e5eec948d7d2fab7d30873686cf64591de4a5d02a

SHA512
e04752a2b8a04052695df346ae2871d154effe87de39580cb2531098baad732df3a89f7937e811b42872847d080feaa4a12966462eeaf624cb8f2d8c263e2cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
fcd883dbf38afc8c94e08fdeb900af4b

SHA1
3d7ddb2155b7813d1f428193394aff2af2a6c6ab

SHA256
ab9d9aee97d061ba01ec3abf0c3e9f3081b5f56c8ff2b45a2ad1afcf0534eb5f

SHA512
99f4aca21af16c3cb157882dcea60a67c0ce9b00b801c226a989c04675345d21e2386926fca5ecee7971784aecc8b403c1eff093411013d110453928c01cb709

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
fcfd6697efaf9697594a2164ec61dcc8

SHA1
de7e38ef18d24e8a954f8be61b2e046db95c5226

SHA256
a28f096f7e7b3b4616acf076b4241a88e8ca8adf261ee87f3978fdfab11dbe4c

SHA512
b98e676bef259ca2b9308bbb93dcca0dbd6d0477c65f876319da2c0d0ecfb3e9965273bbbdf967974dbbc9ae45fbe9f1dfa6148658019d59f29970365322222b

Download Submit
C:\Users\Admin\AppData\Roaming\d559af5a1ed82f9f.bin
Filesize
12KB

MD5
a2dda64b242e5cd1d454567d4ac94187

SHA1
40850592c5f922560a29ab7eb54165c340fd88aa

SHA256
12086302fe698486630d0724f7554a97d52f300a57da53e9fa0ed5ef1c1bdb22

SHA512
8cd031b5067fea7057537735324828835a58d390841cb0a74f89c0ebc3535666b61f81226eee959714c80afc01ab4b7e05e0b78a99b00cade0f75cfdedf2f679

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
bea9df9bebfe8f01489deb6c86ece8b9

SHA1
28d53090663a77bb66f0517a3b577fc5efcd2f51

SHA256
ab2d1987428a5499e39365869245b4eae110d243bfb24c5e9fcc43f8bf4e2a55

SHA512
f87d6e1ff33fb76f1362c3c14aa6f0ab27267bc50fe79f5a53b359262885e7b06e8fd002694aed9894c15700dba8708d1d4bb01b1f79eb8025cc47cfdb33a2d2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3e341f725d3d0dfd8230e67c27c2f445

SHA1
e3472cd2db91108390939b9f0704bd79db7028db

SHA256
236f42cb8902730d999944c89952f1706060f90095285d27534260fc8beea10d

SHA512
8c4ffcbaa4ce5234b70a7045c7e15c7f1dab8040fb7e0f5ee3b0ae99879c1cd4ce2e295367c019e1cacf0151a8268adb9156f10816751742516a2e7c9d3595a8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
86d01dd4209a78debddddc0264123aa8

SHA1
860b75db78530d518c4f99c60aaf0dd6fc9f9a6f

SHA256
804b356ec8eb4ebd575958bf9c5d1e3dc1453606692557b5cdb17a1054d517b2

SHA512
497b9d4970ceb5c20016d32fb6b18a6a881657f624029db39ff3e09f90db47b731a3b349bf2002e037070e8979f982b933ebf88fd4d422474908fda366f132ba

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
72e219441008817d827b68d9b767b277

SHA1
e4f1e2a9fb654eb236ba9d930dd1ecd97bf9f103

SHA256
b80e924f4304ec130fddce587dab0a264069c09b66be31d55cbdb70f46cafd76

SHA512
355cbb46eb66508e18f21d37d23de0d0bf54b6aa380df2b17b78069c0394d4f582a0c0a3b2c5d558c5b88c58525c475a621bc95dbe26d6650e7cdb5710e39119

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
f8dd366f565d9353eeb469a5e23efae2

SHA1
61b2df730ef313db69d550be6184d32ca008975e

SHA256
8d088925d663849e22b35601b2725bf417e1ddba7da5094552131a16822e86ea

SHA512
e87e57ae59cf36456406b19022bddda69c223e505ce8ed9a11689887f5ec7d7d107e4a7f2a8afbdf5d089e81544e5fc7278f7f7842304b8636d35530f524fad8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6ba72296fdff9e0cf39507bcb9868b2a

SHA1
f877832fb8bc9a781eb0a1138c94b347b48ccf62

SHA256
bc9abdd3ff7a6e82f3dda5a887dff6644c72129b8f6f1c775398080e669ba5a0

SHA512
bb23e6e698239043ad8dee98acb112b30dbfa9ce58c72bd4e3f1a9137c4a49a0060e3bbfdbf539a6d5e3b60242e565688473c2cebbaa57a1b6f9cb4d48d6eff9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
63b3e8be0ebad181bbdeba18ba98ef27

SHA1
e0d878673828796dbd8ab422feff0fb5b9ae007d

SHA256
1410c0fe74212e8c5b80d4492d21753deb86c4905935fedfe018abc03edee023

SHA512
f895f076c4a52861cd99a2616127cba4e2792c135704902dc1b721335ccd15d5535c2175bfc6535772d253aaef637208772d74b96024d7ea2c8339cd26316d73

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f49c7862051f106395139f167ebe0e44

SHA1
3c2c9baa130ddcc4af4cd8a6da97d0fcb4530339

SHA256
0f22412302af3b97e75c8bf3f3cb3507e769e940a753c8e89f9cbd8dbbdef092

SHA512
70cb1a18a0c288a239ed6ed1ec68230eb9475e0c1837a06c6cb99690351b7a3681aaf41cd4f1c19100d7db82f9af43ac1c2e58e5dd32504588ff7f5bb36ccfd8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b40d207f5d57bce5a89429c479834860

SHA1
72047693be8e7f26087c2e9d92c1b13f2a353191

SHA256
0a886677cb2f952278384c32eb829aa9b352428e4ca59a6aa0545871f3c1eeb3

SHA512
09565f2c50fee36cd43d6aebec8a8696aae5b603d9bd35a584805f08fb79ad7ee87cf108a9e8f83ff87f50a3db95ebb6a0ffd8c81c1d4c9bd70d464dc68e3628

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1c4ecb9417dca269a5675f550e2455ee

SHA1
c11a6bdae24e2a6593769e8b43c1452b1addcc38

SHA256
3b7dac6636676c0bc00ceb1d3361cf41d6686d7d6216a7ebc389bd7b4ba907df

SHA512
d918c063e3d504913e881a19e1519ec05706394ee5c3c9757451fb6cdfe7bbedd0dc9acb508a93a374f9db48b4fb883b44bf133a8e885685e8f3cedd89466bd2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
94069d98c9caa1c3d71760cda0c15327

SHA1
0504288fef8487b783e5ade28848cebe78bde5a6

SHA256
c95c70e1bd4ba06c6127b13d3008968169cf090d934b1e4694632bd2585e341a

SHA512
5ec75fe8254c3d74c2b348f6097d7c0cc2f6579d19dc758a8b03716568b70b5f7d84baf8eafe5743484f1115a9da1fef7c7f2cd6f8b17c1c288eaf4e9e9af510

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
843be07e8939f2948cfaac3c38237c5b

SHA1
bfa87524a93b2ed7f3d826af753e54894212f942

SHA256
c24efedf58d4687b6244c6d15bc04d62de5161a009ec5a0f4a11f3c0e3264523

SHA512
da1ce02389affb6e75dc8b8a847016e4161a537dc40b742eb5c51ff8a4bafcf27350492aa2587d88ce463157b04fd4b0358290bf89903977a3aad1affbbd2c86

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
de022928ba75fe4dac28aa26c1c6240f

SHA1
75ce005eaff59cfa9dcc4e45a6869893cbe068e3

SHA256
93eb5d03b387cc507b13620e977c099cb5cecf4681fe1d4f30498ea5ae978564

SHA512
06fb175c2e0b95cacc94afc45c4179b4a88b16b0ffe1da63abf053f4fecfdd030fc9e41d32b0e46134faf48daddf36c93c85518f994fc2f5089b6a4164b47882

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
8cb99035c56d10370efe92caa4c41c61

SHA1
77ba5e513dd053ecc235d5fec67e47aec780b945

SHA256
2f19a50fddacc7f42b2e805a7a81b21d20d82b4c5db4664555eb4d0890e0c977

SHA512
82778d8728d9714e801dbe02f23400649ee1ae0970484fe8fb03d857ee33aea8e8a832d621feb3861074f4b83494da959f0ff161fcd298aefba8ac38a277ffd1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
4a7f36ee090ab94654f07aca0420b75e

SHA1
cb07d87d4ebe49770ac7daf4231e830edff741ef

SHA256
070212e7fd75cd374b1ccd72a8dcb94b6ff2a4c4b5fda47eb2a3bb8f4b1d9f71

SHA512
7b61c618be8ac764088da99e88c1998567b8dfe9277335c8c356de5adc591750c9dc5e7aa5c4bb4d2f78df18c37a69ec3795f8b7999f9a8728a6c0db8206c544

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
58507f4539943d04c40f4cdc16677d3b

SHA1
c33362d9f164226d8dcd4afb476133bfc95b08dc

SHA256
d015aa62070d054b25331e2abbd10da33788b66999f8aadd70fff30973c5bb77

SHA512
f7962471ef00f9e3b1ba8e6950fa17bdd9e8002b053e30a8cff03f17c4c5a86dbe927574e311bc07af5b4869773f223a98d6e8bb023df3f82b19d1fee70f99ed

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
de68204023f4a4da3ab1b27683feefa5

SHA1
3b532fb8fb51f452379c1aae91f7f033d9d45925

SHA256
61f9bf39c89fa5c91cdcdf34978d4034611863f5303a3b88a32adb05270a9372

SHA512
0657972dbd07b4069bc6bcae3aaff3249d29e773480bc02ccd9d9abb2fe4517cf917f2816ae0182757ec243af2a3823ff45579a67127aa7143cb9ded06c4faa8

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a55e25a68ff37778a65713383d416d43

SHA1
fa96306745d569f1d06a17a48bd40ac351a8a4ce

SHA256
a2e10729499d8489b7f0dbcc56753a64743be41b4933a9d55d56ce064b2d3fed

SHA512
3535422dc4290fd7f2fb208d3899fed827bc2263664b9740b08d7d4fb6d6b9283244072d59105c197c8bf7fbe04b72df9e5db274bdf8a03d7ce2dd3ceafbe17f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
\??\pipe\crashpad_2968_TNTKDXNMXETTLCHF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-221-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1120-226-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1120-544-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1172-213-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1172-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1176-207-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1568-208-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1568-93-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1568-87-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1644-214-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/2164-230-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2164-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2808-211-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2852-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2852-543-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2852-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2852-205-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2992-216-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3180-225-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3200-40-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/3200-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3200-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3320-26-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3320-540-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3408-16-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3408-10-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3408-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3408-524-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3620-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3620-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3620-21-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3620-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3620-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3680-218-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3768-82-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3768-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3768-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3768-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4116-217-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4440-100-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4440-210-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4692-212-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/4800-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4804-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5084-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-350-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-206-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5088-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5256-466-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5256-480-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5316-470-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5316-643-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-425-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-491-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6056-642-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download