8799fffb6f231cdf8b29b43c3bff267157c9002f665c75dbde3224b7c69052d0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
Size

5.5MB
MD5

211d3315b946fb2ac5584b562ab99fc1
SHA1

b6ba30846506626925dd1df54556bb1fe7201d16
SHA256

8799fffb6f231cdf8b29b43c3bff267157c9002f665c75dbde3224b7c69052d0
SHA512

9f4a4cf2f80ab4925332bc46e38e69a18a2180f2364eeec0fb0b8fadf5fd52b7292ec65b84dcb8f85d4a91a5cbe55caebe3fa544c4d5ef6f7f5d87f54c7f89e2
SSDEEP

49152:AEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfX:OAI5pAdVJn9tbnR1VgBVmz3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4320	alg.exe
2028	DiagnosticsHub.StandardCollector.Service.exe
1636	fxssvc.exe
5112	elevation_service.exe
3048	elevation_service.exe
5016	maintenanceservice.exe
720	msdtc.exe
4916	OSE.EXE
4848	PerceptionSimulationService.exe
4108	perfhost.exe
4276	locator.exe
1480	SensorDataService.exe
3792	snmptrap.exe
3568	spectrum.exe
684	ssh-agent.exe
3304	TieringEngineService.exe
4184	AgentService.exe
4552	vds.exe
2368	vssvc.exe
868	wbengine.exe
4064	WmiApSrv.exe
1044	SearchIndexer.exe
5340	chrmstp.exe
5716	chrmstp.exe
5828	chrmstp.exe
5912	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f1370e4dbb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d4ed71b1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075b57c1b1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fece9a1c1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f6b111b1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4fb81b1caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078206b1c1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e2d541b1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

chrome.exechrome.exe

pid process

4692 chrome.exe
4692 chrome.exe
4692 chrome.exe
4692 chrome.exe
4692 chrome.exe
6108 chrome.exe
6108 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4692 chrome.exe
4692 chrome.exe
4692 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
6108	chrome.exe
6108	chrome.exe

pid	process
660
660

pid	process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1376	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
Token: SeTakeOwnershipPrivilege	1448	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
Token: SeAuditPrivilege	1636	fxssvc.exe
Token: SeRestorePrivilege	3304	TieringEngineService.exe
Token: SeManageVolumePrivilege	3304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4184	AgentService.exe
Token: SeBackupPrivilege	2368	vssvc.exe
Token: SeRestorePrivilege	2368	vssvc.exe
Token: SeAuditPrivilege	2368	vssvc.exe
Token: SeBackupPrivilege	868	wbengine.exe
Token: SeRestorePrivilege	868	wbengine.exe
Token: SeSecurityPrivilege	868	wbengine.exe
Token: 33	1044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1044	SearchIndexer.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1044	SearchIndexer.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4692 chrome.exe
4692 chrome.exe
4692 chrome.exe
5828 chrmstp.exe

pid	process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
5828	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exechrome.exe

description	pid	process	target process
PID 1376 wrote to memory of 1448	1376	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
PID 1376 wrote to memory of 1448	1376	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
PID 1376 wrote to memory of 4692	1376	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe	chrome.exe
PID 1376 wrote to memory of 4692	1376	2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe	chrome.exe
PID 4692 wrote to memory of 3172	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3172	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3840	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3504	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 3504	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe
PID 4692 wrote to memory of 2596	4692	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_211d3315b946fb2ac5584b562ab99fc1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85efdab58,0x7ff85efdab68,0x7ff85efdab78
3⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:2
3⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:1
3⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:1
3⤵
PID:708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:1
3⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4160 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:4616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5340

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:8
3⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1932,i,1772836016888819493,6351371924341143446,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6016

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
e004a4d4b8cac6c29e9a812b904389cb

SHA1
aea1decdc1782dd330649629543943e001e2b4ff

SHA256
becb2252bf8ca718369b5f033c2efe717e45f128ca8119a0106714f389fc7ec6

SHA512
cb26e8421ba5888818c6cf8040752a0d91edeefbe2514db75b3220d9b17430d18b34801725fed5ea213c9958a78ba85b5c4feea8a9fee7ea9c79c977ea637bc8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
dcbfe2c45979d6f39a7853f711a8df00

SHA1
8e4ada73b7e2cd698ee5bc60834429a6525d8ffb

SHA256
f4fee8343e64602979e87c0acf4bdfc1d1ce057f5a61c98ea8aff1a2c918c221

SHA512
042a33d325b26c72c9f4bd99cff4748925538de5309bfdcd08f92750a015816e70bfa78b53eabd638f40802443b3f3dcd2ea4642043a05c7a8271f13f3cd2130

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
245ce338502a9d238d396011a521786c

SHA1
e002ca7e32d53fdce7038baa840117ab9c1954db

SHA256
707cb9d49c148ea9e6fdfcce05d9e4216d9f7d9487db4a50df85fbc283476599

SHA512
509341afef6d80bb1a1e07a8914a4d3db249cd2594a633fef485bee012b299665e01061d3bef8163951aeb50faea64934f65d254d390021fdfd5c41c8478b8fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
790aec911d803c5f187b2baa72342e43

SHA1
e2d37d9fdbe024844c2abd59c681dccb2ad63da1

SHA256
b945520535e38c6ccf7301902c603d46c6a0a92ee202999ebbd981811ae71ce1

SHA512
44a826a0421f9a8f7bb766ee9aaaece3afd0299a21c7219c35e2872a562b9860d0bb1c589711a78ea34490f414ef0aca1be5402a623e2986176b09d8714c04ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d9e1c77a5412faf6bc9eb9c4d6e1a2f7

SHA1
f154c535a0082518978ef7855c1f450b6784b4e7

SHA256
f705069f2a75e903be356e74a3e707f10817970bf83a3cab792881c8bf5f26b7

SHA512
578d04fd723292fae4a91e5935a40147149016f276bdadf85debeed7e207cb34c9108444761ad5551661e568a52448d81b5cc2a3543505d4255a0915d48474e9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4785713f-5f0c-4a45-862e-795109f122d7.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
dc26c8ceb2b94844c839ac4dd41b5c95

SHA1
a1354fb26dee5e1ede4c5019a153978dea167834

SHA256
4d602554621fe57aa1b9eb719e351581b40fd7344483b7002dd8acb6fa72b144

SHA512
9f03b668f3cdb034b33202d2a11e4d2c7e70d30b6b61f72154ac4435c43e48ed1ffebd0c3544cb228dd846827b10543c8d6e6bddd6cd58fc31e083f92333bdce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
20aed52b4764eb33b992561f61ab93d5

SHA1
9c8d438dc6e1f6fb3727a603b1e30c316cee1c3f

SHA256
4a6928974270ff73d2187d6a45ac72bc6452afc40d9463a06844eb6c8d61f126

SHA512
30950740a963b045354fa880e441268fd36dff1aad3153b8e9d80244fb2d878f09f07b2302a94e0610ac75541f16480cd9800d3b77b2de79bd46883c0a6aa699

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
30230f8318b3264142315c7e253af648

SHA1
9e50a32bab5ff50c9c5e92ea63e89dff91d12911

SHA256
1f493e56c4b58c11e8c12c4d2c652801ded43d68e6a0fa11263d1e35c02cf21a

SHA512
2aabdc130e3a15ff4345fb8f1f12b5f8e0ec86d4bc7f81c93fd8e88ad7baa4832ce25ee26e3f526b9268f6058478b1664ef915ba46c15540aa387d47f7f36e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576801.TMP
Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
f22d7466448740818616d8088a97c9f9

SHA1
8243aa531d32f214dc22ab8ad1718532b5b450a3

SHA256
360018d99929b1e2f4c4bd1f1c1ca230b5e5133bae8b445d219a64142ce73039

SHA512
4eb341754ac983f830a2e5032e00a082797898d7e89d3c6ef9cdc4a4af71d618ea3eca2564f2a9bec00d312845aae3d52a21ea80bcbc3a6fe0352fdef0b533f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
b85935b073e0aa13a39122276efa3a1a

SHA1
44a008e4081424163c7bef0cc2952b650b147391

SHA256
f28bde8a264caa3d7ddc00400901a9a7c13802f9ed5e1afb49793ddc3620faaf

SHA512
75f5523f48a098e66aa0d4e1a476ccd1a72ac7cc19fefb0cd855ee1cde6725993e87d77fe3adfc3c823d0ced17725a5735085d7dcc106c2d8efa66a62fd83110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
15e9395ad53efefa2af87bc7c9b25353

SHA1
8f0f45a6bef986d552e8c7df3d404b86ab4cf3d7

SHA256
ba7fc8301083c9db7bf1e6551fdc7b2948f09cc2fc57416d1b37ff9a5d4cabb3

SHA512
eb4d716e986d9a60d954bbd49bd7edd2a496fc3b235f0b051f217ae6fd20da08f8ab8a297f2e1e61b4c3457cf489f15994e77c56e56df7863783c7540048e745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
283KB

MD5
dfa33c6fef41e458eead4bd857466a6e

SHA1
7d02379320dffecf72abd0d2944fdf28afb9ba28

SHA256
bb4d04fd7045fcdd6114770ec4e6aa35e319913be213156cc0f10ea83c3090e1

SHA512
7b26b6227ff8e980915adbbfbf0d470802bc8e26d81ff406dbc50dde35d1a2ca8dec262bb638adce72c9f90d84153609d130679fe5b69de73a5e59d266d835a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
7d273952977d3c990aa2d7535ef43bea

SHA1
13422a55fc74209d1c06c559d0a0de53c75d6e50

SHA256
d7fbf23537ecaa0bfdf5c7e7c4c28e1d9ab0721f789f2f1599ae2eb72e8420e6

SHA512
eab6a3263becec3d36df6cebec12f078120fda8eb09e4e1863a5d8ca1fad81bd6a84e27f76812e94c8189b5cd652d476d40fb655f7c4427a300306468dff6c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
661198081ced730eb22867000e6101ad

SHA1
5f36b679f70c2b714b7ddcf9cf5551af357686f7

SHA256
956dfda96a30801ba9675b9661ad114c4888c9d3f3cc69cee301963168215acd

SHA512
c3fea940f1f0fc843252ff4c5fe20b80b24a0b730c5df707b0b7d3763895ce1f2e3d1bca86935c6c4906dd7537e4e4667b9c272288fe280a06c4348f159fd354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dd60.TMP
Filesize
88KB

MD5
e7421f2bebf30763c8f8d82070f5b63b

SHA1
e188042291515403949e687c8b829506e887e1c8

SHA256
5052d890e106d21d6e5c09ede57ff293ba3877ed2a2abfa9606e65b79efda7aa

SHA512
6792f2c3c0a4a9acf266181f28f60bd8ed4683d07c298e426bbfa206ccd70fce4230943c1e090d6c9c9ef24d72525b656ac9fd3bad084d39f115293aff82073a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
db8eb9fecab1ac62318ddb8be0a39d49

SHA1
686337a401efe78ca2193a1ae435b474a9919975

SHA256
80fe918295bb726158f9fe2210a5e9ff0ca22d7b7d132f9660e9aa9c3b43e7ed

SHA512
7c1550d006ef933df1d31afc18fbcddef145759b04e1acbb31cd361bf4a61577957147058874593d89804bd9c1b393a4b8f5cf20f8ced4aee234b161e04429c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
214e050a5e1a700dbe589250d18e7524

SHA1
10830d27fc50eb07d5c951ec3a2a6b713872492e

SHA256
a4bf8dbcf10ed588e03c6c27ed2f45bee798f69664af00748a1addcdee8ea7bf

SHA512
04f6b0796ba6a26c94163a9ea24a96aef72bc864984d9422522ecbfd58385810af17390f5312451d38b6496b286dc28c237fc296f3067069ef9eea48b1d3b23b

Download Submit
C:\Users\Admin\AppData\Roaming\f1370e4dbb5459c0.bin
Filesize
12KB

MD5
4b5d7802f9242343dd0b94ad78aaccce

SHA1
ad8ca2cd1fc19133eb6db6985870d7930e27505d

SHA256
3ae4362426f915dc7e3f76dd05a4cdc6dd02fb01dbe4de17c7b3998a20ce7cd8

SHA512
d043e82f1ca09ffb4e5943dea5256c34ba5f8b8d7801e3c163f53143e8f72b90b807850bfbc2802154019c815d294865a530b16c80e38964cd0cd9e7fd26077b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4eb0e020cd4554d1da2325ace09a6a3c

SHA1
8efb360fb9bf966c3d7ae3522451d47964f49996

SHA256
c0cdd31e562d0b4c21426cb4a3928a76bd160e77261b856ffec60019b05ffb76

SHA512
21fc4f655e66a6abf6c6972e6b1418bce6ed6982ea2308b234c6aa19e1051a6220837f222edb808b878e1ba1b0cb814e385d75c6161a53652cf92a3c3fcea336

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f5254a61ff3bf7a9f00dc8f967d86ee2

SHA1
814652a3850f1ae845e9db2c25489d4e1772ef62

SHA256
b960002f1fd200dd0405cfa3bf75e3e6cfd6b602cefb74d0985a3981e76eea46

SHA512
587e0547c56a44e3ac7a2d50ffd0b18518e711d7cd002f8e0d05f9163a8d4d1a6a1e0fdac3173e679a25be598693abc11a492c41fae07de2b9da8e5f132039d5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
90aaa8e71a52ff2a02a5cc4a9316ec19

SHA1
e0975074591b569a175966a279038ab73ec3b92b

SHA256
871e812c35aa400998c7070cfc0c60f1caa7d145b98c4f97332ac8a446821d7d

SHA512
1a54df72da73c587fc02e9f1c82c56a2d3bff9d16df7a92ce348f703b0d44be87409ffebd803243b42577223d91a296c8a22e5eec36e079579130eef07010837

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fd7005a8dd90d88bb3b33aaff4321967

SHA1
2ecf90c73362effe5f037fcc3f335ee05fb13aef

SHA256
4aca0d94715e83e2f2c291d95c636d1920a5fb6e81b30be82df703b1b690c5d5

SHA512
c69e8da7fb0197c5b4a714642f98323a772f7ae3fc93fcda7acf747cfea09eb2afab4203264f2bb0e86e36aab19d3676c1fcb4378a34811d7c7a2b4fff417c6b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
9336ddcf1c145d48b58d540e7fe96527

SHA1
21c790d6394ade3fbf97ba3c08b46cf54b5f8f83

SHA256
ab524e287b746e3f755ba7e157855b7ff64932bf6bdc252eef49ebd2fa0e7253

SHA512
f8b6da96133a7259fadfc27bdf007c7e41e66cf59771c5fb4647412eba7318afa2cebec70b8b18cf5ad92436b05496aa819d223dc64af33b9ddf6e6c8b2dcd75

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
649d0271ed69a94868ccd5f72d9dbf25

SHA1
2289a33d5a0fc0618fe89b13176ae0ea9b93cdaa

SHA256
2f67b768be465bef2c59977ca14cbddc6b192111728fb94c555824af8cf46fa0

SHA512
d53b97ddfa251f923e0a28db8a511d3454c2f2d11ca334f21ae8031aac2523226a12cee5b62d598bd98b792ef3cc5ce8539a8b26b452215a456fa6b6dc85862a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
219d6f63fabcfb47bc10d5dd1c1fef54

SHA1
e0ab9e012629d60a2558f918e94a0d0de473afb4

SHA256
3a64163fea4b56e44ade0a86986e8dc6ef5f10b7f993b0741e388699bfb0985d

SHA512
355501b20d352a9f32f7bf0e37396f941792df5bfe9d17db21bc35e3f2650b75794c92b41e9f0c4c987bb4f94f4a539515199b83419609a31fc1bd283f4f1c78

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ff94e3a9db95702d6f9721625da24e2b

SHA1
4327da08a31fc3a588aaafb6bf84ec185a85576b

SHA256
40c3a61b5655f07cc5ba7c6d15a5286700c235244e438ce6a6b6627e21366ae9

SHA512
280a266e085ead85660350f2767a3cdfec83f99f8e43fa764c8122bf163729fd2fda7314ae1bba6293c43de2c1b11dfc36d7deef1f98d4dda8e4fa94357c68e7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a43fbeab43782321bc595f789e8adffa

SHA1
fd46e717033ccd8a67ca230ef2db8843ab0e6a57

SHA256
1483d6952cc89bc1c2c3d976804fd9681d82fd01cf57fe2ecfcfff71edf0ee83

SHA512
8a69bb9e3ed9955cca144e7b14facfcdfcc3f123e5fe8ce47c41b54cf61f5a894ae43593372268f4bfa372a90fc776ea80a62d4a18f76d4cb309b0b7dc76b91a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6cc978ec585baf31bc300c10887fba7f

SHA1
5a7c8df8c6790b985b822db55e4c71cf711314c3

SHA256
2829848fb4665a125dcccab4d02e90b9f29db34f7c9f7d04df82c633fd507070

SHA512
17d14e4b2d3d39611d8f3900ed7bb2ed7e8285a18f23d9d4b27339487a48dfccfddf009d72fa1ee87758c304946c545417333f24a4a23ea109decb1917eee1ed

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6f8b8d90e25d60a7e38712865c94975a

SHA1
0ab92001621527628825dd98ae7802c98064226d

SHA256
f43ef298f1ae290e7bde4e37368e9a099699480075ee46f53aeaf3a1878dcb67

SHA512
40d78138e8c0e63d2bd9d93fef5c39f68878fcf6de3c46b5ee4c4a27be857ff6acedd55927463656df14117274d910a4260c2558090212bc07399b6686745074

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e5644030e960471239616724b0e55bee

SHA1
d1a06bf09a7a897515bd5678e2fc9f1316377870

SHA256
a82e935cfda42f2985a94cce6985e7b576df28545f1b46f7fd6f4bf9d6d7979e

SHA512
f7a0526d389962bbc4f8618938b13b3fc68b8bc9e8ad12a983a9751464f69f56e70051b1bde37380f83c8a07fe446b41796154cf5154f1353c4265bae9c5cf80

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
a1dae06f7aafda701314f1d1dda5e3c3

SHA1
89792251557e5a6f924111e4e403eea665bd344e

SHA256
0d5f77b78d8b2c6ff39f695de4b1c9b7b758b7086a3463b6f71a6ff4c149843d

SHA512
9f0d2273c9c6fb7219c387094ef9a9fdae91d21d8fa8ef521d553fc28d0592b079533a6cd33a0f75cbe8abb80e58ddcee6536a2bee53442500bcbaaadc9594e3

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
02861b76ed3d09581516911b03dc242f

SHA1
68b74bb101be4f00836b59bfad053d0e2b2d6f60

SHA256
73940d7ab3c2eba50623d778cbc8b83aab1c2f6d82c4207fa50813b7a6d4f852

SHA512
2f7a9bfabc9f334abeb4edbfe532c96a5a386168193763264e8ccce370263e1a0562ddd26754de3306c3342ead29bedfdc654467730241362937df3325d76b68

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
89caf396f2c05a981213622ec11920d3

SHA1
655f69e03522b2a29983d2e38afce0fa029f0c35

SHA256
5c35b415a0965b03a0fe78208edaeb437901e9799be47650e863288397004183

SHA512
d316bc94bf89f91ede4df09d1365eadc21e8b1db22c9ff7263d6eedaa01c7887d6933c68f1553e8cfe2b891c529d72da86d8dfed208d43ff387a273d81ab5a28

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4654384d3056140b4cd320148af94aa3

SHA1
55dec9eb871f4c9959a8a14c734c381269aced4d

SHA256
755cb204a78f81ac735b3a52e7717655e50d116c2ebe4445f89299795852b3d4

SHA512
63f89a16a1e663a0ba93f8f593e0b174ebbaf3a4960bc6f3d7f86adc24d99914ab2bff24b0455a52c201c048e1297c9e7cd3a97a38fa35a04ce633da84c03a97

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
65ea148b08ebf4bb1fd09485bb1f0955

SHA1
11a372abfa02f3e7fad0df214f1d3d5190494f6a

SHA256
a2f41474aad1ca51559bdaca00154de0b7a83daa8e3d2207059509c0e41dbe55

SHA512
dbbb5db12b2e0791d8d07ebdea191601848f98c3e121c921c4df1d881fb72a7269953836fd72867a4c6d390f0b5c83c66e13a89608a7dae9b427b92296a0d70e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1c41b75dc2d84579df3c3b2e50c3513e

SHA1
db8266c941d6f807237d41efbd6e742e8aab632d

SHA256
78f1296de9977270093ad9f6002bfdc4566edb12485330d2a70642f8f940fc37

SHA512
6c67f4c390d936bc09bc5cfdc726b6c816c24ccae17cadeb97fdf891ff1104cf2f2302bad62753fecc046fb42b2f50d18c7cdaae4b1965134ef5f9fab4728a1a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f31c6a31702285039328a38e951dfdb4

SHA1
182324f5f8e720f782f4649cccca14161b20bfd5

SHA256
368b817ccebc86118dc34ea2e45ee990a2dfd423fcc07ba3a0f1916dad8becc5

SHA512
94cd8f6ff54c449a222bb9d2d30e9bdb4d8f72098c126590fdd2ddeb172abd200509bebaf4841fce50e326b85c2b8046b462575ef8df979237a08fe1a236c68d

Download Submit
\??\pipe\crashpad_4692_XXGIZPTQOKJFWWWB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/684-183-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/720-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/720-537-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/868-187-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1044-189-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1044-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1376-9-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1376-33-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1376-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1376-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1376-27-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1448-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1448-437-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1448-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1448-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1480-503-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1480-180-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1636-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2028-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2028-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2028-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2368-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2368-186-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3048-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3048-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3048-527-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3048-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3304-184-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3568-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3792-181-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4064-188-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4108-178-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4184-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4276-179-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4320-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4320-465-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4552-185-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-177-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4848-107-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4916-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4916-100-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4916-94-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5016-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/5016-81-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/5016-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5016-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5016-85-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/5112-319-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5112-72-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5112-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5340-447-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5340-498-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5716-660-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5716-448-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-463-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-665-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download