53c5600223fcbddf9a2fd32ed3ce287051ae503b3ffc7cba697bd9f13ed133b1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
Size

5.5MB
MD5

b26f2cfedfbc23b2882c946e2edbfd05
SHA1

8d369cce21abd76bf7f5bff810b07716d0213e0f
SHA256

53c5600223fcbddf9a2fd32ed3ce287051ae503b3ffc7cba697bd9f13ed133b1
SHA512

33be76ceb0a27a0a1ae5259b479be0d220151b271b6a4978f7f2ee69f60f6ed6772f38866c39c72b3934851ea3d27550f2c826406571542b540824b522938410
SSDEEP

49152:EEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfX:iAI5pAdVJn9tbnR1VgBVmz3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1568	alg.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
3856	fxssvc.exe
1892	elevation_service.exe
3160	elevation_service.exe
1140	maintenanceservice.exe
1152	msdtc.exe
3420	OSE.EXE
2588	PerceptionSimulationService.exe
4820	perfhost.exe
5052	locator.exe
2608	SensorDataService.exe
4340	snmptrap.exe
2764	spectrum.exe
4612	ssh-agent.exe
3792	TieringEngineService.exe
4536	AgentService.exe
4400	vds.exe
3024	vssvc.exe
456	wbengine.exe
1240	WmiApSrv.exe
1728	SearchIndexer.exe
620	chrmstp.exe
5900	chrmstp.exe
5188	chrmstp.exe
6164	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\789ccf26c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037c14be41daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e04a55e41daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eea33e41daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074fb65e41daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061725ce41daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cad57e41daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d9882e41daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610582223214876"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5008 chrome.exe
5008 chrome.exe
3964 chrome.exe
3964 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5008 chrome.exe
5008 chrome.exe
5008 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
5008	chrome.exe
5008	chrome.exe
3964	chrome.exe
3964	chrome.exe

pid	process
652
652

pid	process
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1536	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
Token: SeTakeOwnershipPrivilege	4564	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
Token: SeAuditPrivilege	3856	fxssvc.exe
Token: SeRestorePrivilege	3792	TieringEngineService.exe
Token: SeManageVolumePrivilege	3792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4536	AgentService.exe
Token: SeBackupPrivilege	3024	vssvc.exe
Token: SeRestorePrivilege	3024	vssvc.exe
Token: SeAuditPrivilege	3024	vssvc.exe
Token: SeBackupPrivilege	456	wbengine.exe
Token: SeRestorePrivilege	456	wbengine.exe
Token: SeSecurityPrivilege	456	wbengine.exe
Token: 33	1728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1728	SearchIndexer.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5008 chrome.exe
5008 chrome.exe
5008 chrome.exe
5188 chrmstp.exe

pid	process
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5188	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exechrome.exe

description	pid	process	target process
PID 1536 wrote to memory of 4564	1536	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
PID 1536 wrote to memory of 4564	1536	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
PID 1536 wrote to memory of 5008	1536	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe	chrome.exe
PID 1536 wrote to memory of 5008	1536	2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe	chrome.exe
PID 5008 wrote to memory of 4944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 4944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5864	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5884	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5884	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe
PID 5008 wrote to memory of 5944	5008	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_b26f2cfedfbc23b2882c946e2edbfd05_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb503dab58,0x7ffb503dab68,0x7ffb503dab78
3⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:2
3⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:1
3⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:1
3⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:1
3⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:5376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:8
3⤵
PID:6244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2460 --field-trial-handle=1912,i,8251481656830341209,6811179140055144853,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2764

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6060

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8
1⤵
PID:5316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
d38a6de19d6ab4ed3da72f3980e923bf

SHA1
af19eecaf7d63dd43642b18b1279db693e61a074

SHA256
418a0f3a05653a9977939ba21c80ef6c3a6d3fddcd329b2b853e8225b656945e

SHA512
9424501781ee69889a7023b923561ef293f10f3c7efdc3b77e731c9254ae1e1e5d62a32138daa4d4eba03b80da181857e8dd323bc1613f74284c04f8ae08b166

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
ad1c790290e501999976e95e1b3b7227

SHA1
8ca965c28138d672b1b9b394cab591c7cd2a271d

SHA256
ea429c5d4cb1c868570377ae487cb4f8e16849ae3a0f36a246cbc62a7864ae06

SHA512
612d3d2b91cacbc73e2d5c2d228ba1e7e7f5d77447482d807b5e6121e5fa257fbaa4304780205cc5ebb8278b42583072cec27bae111c6599f21070c170f1ac3d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
5a4ce6366c2c694960a5def3c6ed3f36

SHA1
5329961d86648952d058b382d473b63724224f21

SHA256
0b1a6f7e67cfa62c95eda95c54c64243127bd361746676567a270a7d65318847

SHA512
a5c61f0f3939179f7eec07e1cb9b48878d75d13daaadca3cf597c5c6515c3da0aeeb7e4b60143061aa8aae49eceb310029222b7d324883d484e3b6e0e95ddb00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2d75c8970c5cba8f73b025b7581d9089

SHA1
3107cdf48bacdba68b6d1ea4acf5b24bde8ce46b

SHA256
54d5a2531f31c3382f2eed178cd336878943af297a5bff21d8ef61ec4f4009ba

SHA512
0f6ac1e424257caff2a6eed68734962b9afed3a25ae12163aeee5d2eb931513a5a08cab4a299e4993a55093cd3ab712cc391fe29dab85cc8c5ea080789d7e601

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
cbf5a789b955adb8cb955d4b4e90b756

SHA1
1361ffb5e7da3bfe793ad937e87674f736412178

SHA256
ca614e65fde098633bcdd9a26a6c83b7598931f6574f59101835400d574d651c

SHA512
e8edcd154f8425d15e481c80e9b651735fcee7823afeb70223f54414649640c046072d7afeb2a825ea7d631b24d29e63f6dd65353adffaf468145e5e220f2679

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\7b1c0ce0-3db8-46c3-8c22-e2b1e8d5e772.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
fcb4097dcc634bdc87221ba38b7b0a8d

SHA1
b67827f01a7523f5332a4aff1683ba57dd06851d

SHA256
f452dc51882b6271ec8434053d5ba5af784234bce1273b26be76a9d4dce91f56

SHA512
ba8a17db166f4047ddd96651ec4abebdc58c6f9463b80dedc9035bbf3d73ae2ee4d7a0ddd39ff987b99482777e51178a85db5bcef43f5e4bff222d85be7d9d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
bf91efa5d1815fa4b74bed8b94e9ca88

SHA1
a747117b1af32518db7aa75ed969f5160ff22cd9

SHA256
36656e206669731ca319783299b9fd3be0e4e38bf680b8954f0d2d957e1d86e1

SHA512
dedfc1a91ceb3a598e9fddcae78c9f6395150dc52eb711a0c1f6fdf21ebe53675e03bc367f1a780f48e730ac9bf91ded45b9c64b71efa8faa4b80a58a3a5f721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
411e318f65be246c3a85c162edc073ac

SHA1
297308931c77237c4be46ad5e0510b2277d1802c

SHA256
d52a43a1a6de59b5fbcddcd7bd59e042eb8b33f8c0aa3977c3fb83bf6516603e

SHA512
aae47703c5bcc78c6cbd41970bf56a218d566db6d98dc703a106579d152070e56036d97cf38eacad91bf87f878c6d930ecf440ab92e22baddd1ff06a258c2695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5838ce.TMP
Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9e8b7e87063680c88416ff8cb83ffa21

SHA1
9ea75df598c4892b7df4c80705fbf123d14d65de

SHA256
f89ac3428bbd8f2170f073214364b5b22681b703af853ad5e1462e9a05035567

SHA512
8b04298f5ccc414d3a84017f233c532b165220229eae36888cc6b64553e6872f2e18249506112472841748d2c59a71e7e03c07f6dbfb4bdb9a74047f0ecdd9b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
d91da5322ce9a4c39b37730304ef97d1

SHA1
fbf78fa38fb43e9c17304f2288b8fd39cfd4e0a2

SHA256
1756c3f86e0f074533669fef2720d9f3679acb8a2adabf35e23a1bef51ddd684

SHA512
6350dcbc647bb05f87f5b398036af0969d2a820517c0e68764e31296703f7f8fcfbe67d6bb0db6e510e520b0218a2fd72097a17e76610a2dc820141d556c7eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
e7f8544cbbeb52f51b50755b055c7e68

SHA1
8c1204602c0640c6a6bca7df15f6f06961c7f675

SHA256
81dd4d681acc1c173a34555c5c92df55fcdff130b72043643d282b8f9d9c23e2

SHA512
71f696ae9ee3f355529cf8b6eb98973146699ee763d37ca632f465845a2d0c05cca0d7d89455b69c9ac91318caa9d443703c3ad05b55f33d42416edb1667a96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
be2e97dce0874579af23f774429e48b4

SHA1
71fd8fcaf67e993bbba23ca785b8748f65cd681b

SHA256
908cf6f2fda2a7214b644e48b2b9fa3b660805befb2d3ecf340d650597add7c0

SHA512
84e133a4018b66b57ed23984bbdc9825af45b22bc246950533f69f3c82a5b20d714f0d0f28e69330c11eb0c4f340f22fec7d2760bbada1a6800467181f4ce249

Download Submit
C:\Users\Admin\AppData\Roaming\789ccf26c3a5208d.bin
Filesize
12KB

MD5
a8f0455eab1a1204b621acba48a3bef6

SHA1
01c4351f9ec9145ad1a6ff93ea89780cf8697f46

SHA256
b4ffa459ecc7e2a1eead76f9f2c1ba476a6719debb944344af8fe138e557658c

SHA512
6cdb96ecbbf68a32604ebd62068ee9ec77e48624e0612d88f92d33d5faaf2a95bf5b28f72eb91ddcdf2cf396655afbba91975132f91c1a49c836144438db0e61

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
3e057ebe036c80f7e5715888b281ca1a

SHA1
0a5ce411454591cca380c73aa248662528a650ac

SHA256
8b9ded73f474e65920bf698ff2f5a59378a9ed066b367407f06df1a67fd5c574

SHA512
4df70c74832ef468436798536685c17b4da287ec09283d9c7d2a3f5046a257657c6f0921c62c905cc384995e4239c5f1b0e82f051ce44e0ee3c5aeb67bbe6a7a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b606984fbf50c96da2eb9e0e8b2f7176

SHA1
bfbe7c104679529aac0c43d7492ad9087f5fcb6a

SHA256
3dead2b04babe6f65647ecbc703b7a644d06b4a12b1acf01df8af839afc7a80c

SHA512
0139bb640d40b84bd2495ee424e0d5ab5d8fdcaa3c6bd24e199e1af0e9faef88276cb1516af964cc6e0c06bcd9318007b899e5abfaec9927e7d4084dd3964cfb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
a871cd49a1ac4f5ecd7938ecf68c37ae

SHA1
192fa59c3873093cccdf82639331aca67c411c89

SHA256
21ccc10fb9cde591def4d0546f33f473c7aba839df439e98cd5a536b1cb5c981

SHA512
73433f25e6fea1ac832c5b5b7f8f18d628e6c96d2aa9cad7b648fa86d8dabe9c6eb4837983bc0d0aa00d2b621c505c864522e28f943472774206e2cdfe62a1f4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
956b507a6b0f68cff22312287faba0f1

SHA1
6c0fedb72240b48e4e29570551bb2f78612e2f3d

SHA256
7e7a00d6831062eb3a34618b7a86fcd366379a49696db27da68fb6261a1801d2

SHA512
34a38d076f8cb8c4fa0f9b24e036821df6ad366926e6481ff19dd1f4500e9fd93711522f96b4985a31e2f22add5194b29dc0a34d3faafb067852caf5d5bee146

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
bed6886b94436ffe7b7d477d08489b7a

SHA1
1b1e822f41a327e7b5ee430d0161ab40b8ed245a

SHA256
727e50f484b0660c291d595bdad85a5e08377b6b6371924ff58076a0fe266715

SHA512
30d39b22bed786ddf6b6d209803ed03be49ea893c4141f720067182afa16c84da9b264b77657d12df4db599ecde184ede351f1a1c64c1a487a14d57a80961126

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
fa09aaed6ff7d5cbdae9be372e93db8c

SHA1
61ca34ec6c84b8aaff0d60aa27cfeea2945afcc5

SHA256
7795d88de96ed3ea67479eff0c37359a15ae6a113c2ff36a4a74fea4b392b0f4

SHA512
735e84605ccdc11eef3c601aa757532d22727772432c9e713a34b74f29cc7b7ad6515234d0930043e8f58fa42077fb597739462663351e19572b154214e86e34

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
08d1993a9102b06501dc0412097ee77f

SHA1
cbce7961548db3bb118b018bee3d3b84780eeb59

SHA256
619ba3d07dc379c22d082fcd43249d258ae945ab97a46546764f800153f3b0f6

SHA512
9bdf4dca500fc18ca57aab1648e6ade9e5511e40920f16705514de0c9302a97cbd9c73a70f3e144372612ff6236b92cc03626d3572c308a3801fea6cae644bf5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e37c829ab5fcfb9840e2c34947fca45b

SHA1
6db93f08b33e07c1c438b22480a3f42787dc673d

SHA256
d58584b3043fad2f0fd5260d19b7c10da90724b4136f9badb1dae8973e19a13a

SHA512
c01f1bee2828836fc742a67c445c7939cf9cdcb88db023be4395751d965d084db432a1d4cd267013a8e66c0d509c74c46f56ba10ed0e77b423e2355cbbd44b1a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5b2588df766b1b9daccf87d17aabb70b

SHA1
544f38407240c1f146052dcd06b6816303d8fc28

SHA256
fd96715a81b724639d14539880d192b06555508b0f031c51b57f9a43907afbf6

SHA512
3c1cdf7720515f2f133a847a74a9d0cfcc0c51279a26c724f45ba5cae7e1a9b666fc7fd5587eece3a3e11442614aa13ca5f9d32c208d892ebc62f1e1c5c82cb6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
3ae58f2624b5c6377574d18828c04f7c

SHA1
17e4a9aebc8ba95003e455855969c0f6eea1ffd1

SHA256
dc43929c3f1b04a3bd6af03399a9bcc66fa023905932bfc41900d28b1a76cce4

SHA512
99f8756e9602e1d8eb3fbf3d54a1ee47357095ab8545455e88d040fef8c054d1eda4c4f79a6336df7ea95cb0c3f04a2a40940f34723167a61a6a2c4ece2e5b46

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4899dc3e80bf9c9868dc78a2ddb2f159

SHA1
33176b9fb025e13d5433744df2057b74ace2d4a9

SHA256
93ac06f1e47cd69824fa5ffd8fe52a989fc87061564ce8e67b3edcd1fe681bfa

SHA512
bc65f7d37c446abd7e47919f72f6ab20e0807c27b88e3939cd0ef5b9f22b144335bbca60545ef545b22715a776e546de43855bf1a73046164fbdfbe8fbf9702e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e3a00a6cf37fbb2d2b8bc7fdcb4ed108

SHA1
f0791885a1a01e8ac7824d1b78db03731af597c5

SHA256
16b4b9f62668ca4a6cb49f4c52f5e80f81f56170cc3fb7d0f4128481daf73427

SHA512
1b6295f3cad50c3193b65fe88669ce82c1221021697d1e35e22e07bdb16c03aacd35d1406fba96059b80eba47f4cf5f3d54417c87f23757d9f9a4d5dfdd61623

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f4581ff918d35efbdcedc7f1641ddd0e

SHA1
e58fe83dd7e0650057acae339ad3bce9c9b78a18

SHA256
78cb28bd732b31c63f569ba87e98293b89fe4ea5a946e9c580d6b78d60366ddf

SHA512
019801b917c2d64baaf671c84d82f643bb1876a4b394c22fd93a48ceec73e7ad2c33b3978cb276decdf7098d1f779788f5c39253d7442c22f7cc5fa5b300140c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
cd822f788095d119343c3d8d038e3ba5

SHA1
7fd34986e7ad8d88c376adfd96a4f9c9d177ff02

SHA256
755ae939d6e5fb2b8beb4c2eb1d4b6fe0d8f885a6516910fc7b873228270f896

SHA512
277d4ed599493829bcbfdf9d4419dcb9f71f75355069d1a14d3f817c49b8dc75db5f239a7dfd2ddf0a7000dc631bc25f3de93581e9c97edf7488748f142936ac

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
069beb212349971477babd3355406ae6

SHA1
61ce72132ff9143c9b5ec3c9d07cc840dce38e63

SHA256
bd436f011b664971c48aab16a4e2289ddd1347f2ec81f8cdf91c000b75323e5c

SHA512
fe17b26cc286ea404d1bfa8183de0d09f0de9e56150173a60ab56f9a21c45f7e04705dcd802220b446aef2c8d89446adfe314f8616d71e634a24cc61b20c239f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
09aa7cb4b9ca17002733af6ee500c683

SHA1
2de5a1ea480258424d19391084e96685e798afdd

SHA256
af47f29b7728aad10f5bde7ea6f0a1359c68d840c8f2ad3c7ff6e10ea87cc607

SHA512
f9ef892b9c253ac3a974c4760d4d8fea4cd33678fe6b9b7365b00af4cfb95ac9e2d8bfdc5bc7fc8e05e93185b54d4ea1256b10344f20bb086700ae107d8b36a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
6a386bb67557cd5d97dd85e4fda5818d

SHA1
844d8d95aa20f48371cf3dde1289af6f74287529

SHA256
37ce7ef86734616e0dad7add88d9038a8a6cfd25dae276963b3850421851e64a

SHA512
751bf5d67211ea7b88612f3f2b47d2ef2f40bd201c632edf905923da1a2ab32b40f0ee4a96ed72cee748f24ef26c370c42a1f60532a69a15b2b81cedffae6ed6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b4b2bbe9a84dd3c74590bc36299e1e6e

SHA1
8545c87f0a67943e7c050b2b43cfc71af06a0c4b

SHA256
b906c0febff52a8b0a4b0117921bcb79383ec0bcc7f87b497d10fc2120439e59

SHA512
8093897c7aab1691834be1569a2bfbd95f89678f561fa64db43f564b66f207beb7804982c61ed391cca6e75c9197d8acba5023283558abfbbfe685157d6ef5a5

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
\??\pipe\crashpad_5008_MHZIWTPIMJPRURHH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-231-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/620-493-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/620-432-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1140-75-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1140-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1140-81-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1140-84-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1140-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1152-214-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1240-561-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1240-232-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1536-22-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1536-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1536-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1536-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1536-9-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1568-458-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1568-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1728-233-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1728-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1892-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1892-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1892-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1892-360-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2588-102-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2588-216-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2608-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2764-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3024-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-72-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3160-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3160-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3160-521-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3420-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3420-92-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3420-98-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3792-223-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3856-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3856-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4272-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4272-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4272-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4340-220-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4400-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-155-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-429-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4564-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4564-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4564-18-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4612-222-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4820-217-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5052-218-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5188-456-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5188-481-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5900-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5900-563-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6164-459-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6164-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download