2b776dbff984e6250eedd5f540f1c0352e3a7d3983b535ca2a7c7c03f848e846

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
Size

5.5MB
MD5

cdffa99736357a59ed780c60bee6e014
SHA1

f4cf6eddfd2e94e22e067095b71fd806d3b12168
SHA256

2b776dbff984e6250eedd5f540f1c0352e3a7d3983b535ca2a7c7c03f848e846
SHA512

b3a2cf0f1e24a1d262810a9f8db5cd10cc6bf1040c2652845fa4275e16c5e0fdb687427f47a2b247008dcfe6575021ebc5c9cde6ecf76c4753badff33b082f5a
SSDEEP

49152:uEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf5:0AI5pAdVJn9tbnR1VgBVmL69CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
224	alg.exe
940	DiagnosticsHub.StandardCollector.Service.exe
3836	fxssvc.exe
1468	elevation_service.exe
5116	elevation_service.exe
4324	maintenanceservice.exe
5032	msdtc.exe
2200	OSE.EXE
1948	PerceptionSimulationService.exe
5112	perfhost.exe
3436	locator.exe
2480	SensorDataService.exe
3588	snmptrap.exe
4848	spectrum.exe
4072	ssh-agent.exe
4644	TieringEngineService.exe
4956	AgentService.exe
3104	vds.exe
1352	vssvc.exe
4424	wbengine.exe
4552	WmiApSrv.exe
1260	SearchIndexer.exe
4468	chrmstp.exe
5328	chrmstp.exe
5584	chrmstp.exe
5660	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exealg.exe2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\15c31300e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056a53f351eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0a06c341eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086ccec361eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096ee7a341eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069414b341eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000592b57341eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2136 chrome.exe
2136 chrome.exe
2428 chrome.exe
2428 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2136 chrome.exe
2136 chrome.exe
2136 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
2136	chrome.exe
2136	chrome.exe
2428	chrome.exe
2428	chrome.exe

pid	process
656
656

pid	process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1376	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
Token: SeTakeOwnershipPrivilege	4356	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
Token: SeAuditPrivilege	3836	fxssvc.exe
Token: SeRestorePrivilege	4644	TieringEngineService.exe
Token: SeManageVolumePrivilege	4644	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4956	AgentService.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe
Token: SeBackupPrivilege	4424	wbengine.exe
Token: SeRestorePrivilege	4424	wbengine.exe
Token: SeSecurityPrivilege	4424	wbengine.exe
Token: 33	1260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2136 chrome.exe
2136 chrome.exe
2136 chrome.exe
5584 chrmstp.exe

pid	process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
5584	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exechrome.exe

description	pid	process	target process
PID 1376 wrote to memory of 4356	1376	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
PID 1376 wrote to memory of 4356	1376	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
PID 1376 wrote to memory of 2136	1376	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe	chrome.exe
PID 1376 wrote to memory of 2136	1376	2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe	chrome.exe
PID 2136 wrote to memory of 2012	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 2012	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4652	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1032	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1032	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1496	2136	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_cdffa99736357a59ed780c60bee6e014_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdc61ab58,0x7ffbdc61ab68,0x7ffbdc61ab78
3⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:2
3⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:1
3⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:1
3⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:1
3⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:1228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:4468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5328

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5584

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:8
3⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2432 --field-trial-handle=1912,i,17362036270887879840,10809949573580239344,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5864

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
afb25224f110c732544b66012408bf1b

SHA1
4b5b5d9bbad36f85bc09c21e96887baee4381a29

SHA256
103a01a68d42231e6d7e5e72c8f11298ec66538f27aabb4cde9af9a59fc919bf

SHA512
9769fd7d8a94ee7106df6a67204be57133875eaea8ffe000706ccc9bff993d1293f416b2cd5fe12dc51fd70de3ca29f54e85851b4004f82feaeeb7f1f8f20af6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
56abde9702889c50df8e06dd8343e031

SHA1
e5e2eaf650fe685670f9b9cc4592de8595310053

SHA256
9baae9ffcda7010ee54649cb883bc448e4cb500fb6ce571c6a5ce408bdc70fed

SHA512
2b935f1d1a7fe838b08991fa08063fb333e60be2e5166e0e2c8486327738fb312ccc450f8972b880c49b40ac96a7554306baa905a035c8cc1c4c164a5cdf43d8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
8a8f7e6ee9f93a2acd12456f7d6d406b

SHA1
531c5cd748c8e04120f9dae6b99832a5348b68ed

SHA256
576106d01c46e505759211bc12d7ba9bf9568a47cb24841ccd9ae9a4beaab8c8

SHA512
5b860d5deaef0dc6ebc455e73995f36d8cc1edbc38f87b3e3418ccad5f80bdbaca1fbdc0b6277141ba3fd93816db5e70cfca86e766638f995930a5df49e67919

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
761c50b5163eb5331994c926fe3062b9

SHA1
0cb4e07a5b6bb4f348bd7ea4527768e99d38458a

SHA256
29770e63fefab515cfff43869365fa8d27591a914edec2b8b3acb6ef981c3eab

SHA512
293d6e3efb3f4ca531127ea43191e5ed99228a86fcc539c775697cc05c74d883904da8ada0c6468a193cf5076a2b3dbfb30407d372a59b74ee1266b9ff66a1f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
b5eb048aef4c230fec7045ffaa16244a

SHA1
85eb176b80908edf33fb16fd57575a6e79767964

SHA256
37b6da09d2efa4d1e094f6e5039f2fbcc7eb57254ef85a228c75a1ea79c9231e

SHA512
392bbccc6f4757427416f5d781f9690fe98d3ff506adbff574ce747d70e5ed02f5128aec80cde67a379984fe14e0b6d13c40b4cdab746894f78c7499bc41fefc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
fa818308ec6a13e074dc2398ca6c95ca

SHA1
26fb8372c8d51e19b8027e3d934f6e879b100ce4

SHA256
d5df7c56979d4f884ce32d0a8854caa8685722e9d4e80480194aad861e86cb66

SHA512
e3c3193a53fceb583073b43a7775629fc61f3add6b15f474e47c1a93370fea7227395f64a9f39ed6546d616e1d24e3b7fc7fe1e2b94aa32d4029f9d991db0b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
e44913f7d6b40a72da768834f8c86870

SHA1
a1aa4859da4990baceda1cc677204dbc58bc74b0

SHA256
fd3beeb21c52ee61961e1dfcad348778210c5f46de8647ccb1c9e0e5089ebf7d

SHA512
44cb35dffb819e00b7d7ff2f5facb0dd4a3742fc688b31efa7e545719b6ac3dbbc30ddf6cb4d4d95da37ef92c6cbd4d6ed94c029e48f7d121f89ce8043ddcb46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
692dfb62b96bc5c05f2d2841fc82d7ad

SHA1
c95f1741088eeb8930d5387a29c16283c32b9fe0

SHA256
373af1e826c43c042e5be980a8f7081cc0959d9d44dbd2592ac821de46f08b4f

SHA512
3406132a75ee48d1a15571aa1c891a3a4621534ffee031a398338d90810643533636a7ef48f335af1e5816a5765cc44b75c01884e2325e427e767116c0bcd09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577d8c.TMP
Filesize
2KB

MD5
1d0245a0816fd932b1963600bab98460

SHA1
82d188a3a5fd107ed83000e16e41e0d67eed941b

SHA256
b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6

SHA512
febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d1d4618999de66094858aae26a83d302

SHA1
3faab3d4bfd213889ec156a7d6350d3c5b0b6643

SHA256
2714647296ca343dab294c4f1c795879ee33159d305850baf02448c80f5d899e

SHA512
685f94d39acceb15d70e3c18ce621075fcfec2d57940a0c2fc657a6c937aa7b83ac663557b9a38f0867706ea02c25b6f5a3b49962f64311087a37e6e46c0bb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
521fe40f67a8f73d703934c19cbecd71

SHA1
94e7d960fc02c21ebdd4247dd70e2eef9564fb91

SHA256
94e8bf67d405e993292a27e1630fd716b90c35e7c796deb7656559396751eaa8

SHA512
92e94a630680194fe85f469b4428660b59c5f247aa5879cdfca554fc996fedd2e5aaf316d6bb4a2b024cc7059d64c7762050bd7cc3476fa660c60af5df501242

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
8547a30ea2d5700589c63ccfcda486e6

SHA1
0d4f1b9958b34ed3ad6df35da7a6dcc8807e960a

SHA256
027118a36094f1aef322773074a46b69a9e95c30d7a360ca93a1e7a72c60fdd8

SHA512
5639a3cbb92fa0dc95ca277df3c80cf53bd2a5d6963ef1f9671e13a063b18e562fae072240fa208e8fd1b4056e9a13fac304346b4ba10dc72595115035314a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
8a3c2e1823d3a750ba325527528991eb

SHA1
b3c603c1c6bdec5b0a45bd7a65138cf11b6f8fa2

SHA256
2dc0296a72383cca946140e2c1568cf27da9782dd737e2910a4d72a92461c52a

SHA512
671a4d655fa98aed9054b3edf9b84ecc095977f4fd34d92defb595cbe3435f770b004977f06258379a920391d2f1ea4263a27216749af182f04e3e1c12bcd2fa

Download Submit
C:\Users\Admin\AppData\Roaming\15c31300e703f493.bin
Filesize
12KB

MD5
8aca5b988603ed6cd012b30cf6737157

SHA1
9943f727e5b531acaeebabd060625747391cd3d0

SHA256
feeec40ddff98f58c9a81f9472f1f192ffe6b996361383999c738de9ba3794cb

SHA512
23b2f52f9205e25227e40eb090b6cec1825e1be836cfdd76f10d8054371a6d5c72f75b014adfbaef5b4b04e108bab11d4c71b67f9ac0ac39a5f70734d667c8ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
bd042cd302ccfe0d07da07d39a37a767

SHA1
7e33e1228f5eac032f1dcb87c0890d3b12be662e

SHA256
5fa6ea0822b51b78b0e3e717ce5fee033252664bd3f9b01c79f63c0de5a1f197

SHA512
f69957ecd827b4ebd6692957738c065d08643500cd599fc6fe51ea2db459a079cf39eb19021de48090be34a818455b69df7dcd327a17dc997ffa5638c9a87296

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
0fb381c2c43a0cc7adef4d97855cb0b7

SHA1
ad9b56fbbf748e0f8d6ffc5cbe2d3f2b67042e6b

SHA256
657eb2e3980b52cefa6996b656465867d7111f6a4bac32a6be72209f287c61ed

SHA512
f104455e3e58ffed50b15ea8219325572bb5b0855ef05d89aa172b43243d26c2103824c1d22ecaf1daee04cb7956174920ca297611a3a2902a565c2ab0e794b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cc92f4447aa12f4677771b7eaa5e3c37

SHA1
11e028fdd3dbba32eaff6c2c55670f4ef5134804

SHA256
47e731e051946c9280e2564e961331f5629b59f732c385f08fbf9ecf9f31e581

SHA512
3582b9ed360021b2d1c9adcf301105d076699394ad6bca66a3da80336cbdabe78d78ec0e951d7b16eea75b3814eb649271bdfcabbbda00090285646db0437e6b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8c1864e2448934e3001d7dc179f0fd37

SHA1
9d3d20d654e11a9f8093052f61a75bf730f63603

SHA256
73b2a1eeef34e1b7b0fb2a51acf35e0676ad4ac604f9dbdc8c18f1bb064c71e6

SHA512
d7a07d1ce8b12f7f98e86e0ad298f414721d168b64df43a62ebabf176a964508251b6d53c7adbc506f9ea8d5a80fabcb283db8d807a7a9b88651240444a7cd52

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
ce0bbaeb24b34330a0ff7ed03b9fbeb7

SHA1
57055398a4081b3d41c1f7d94874ca85a3eaf195

SHA256
f82aff6109ecae9e0e3d1f07047f010fbffc1977287788e9c800be8962f21eb0

SHA512
6bf67f648a59e8edc9e3dcef2576f639a799b00910b31f03b8197272e91d95769eece014cbf595822201c4db68491f5d0fa9902894734c53b8c27f868cc03fc9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c8da0a4e26eb3a2f1725a510869ae769

SHA1
06fdac4bc3a777299948177170bd336d6e37ccee

SHA256
1cec5edb90791bd9ec2be710dcca5e3a72eff470a9c791ae633aa452f0a03ead

SHA512
5fa64f09eabfaac985622876a6b55ef0acd740fd1355e27ef386e0ea4e7f9f87605493e518e86d8515e82f342b0e85a90f32f752e309869e8f8d2c3c8543003e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b48a35b1ff23253ad179abe33ea6f94e

SHA1
f0782eaed9b3b8c68251d63a9bf152e1b3f81672

SHA256
8630ba1e5065f91ff9214cad34d5d00f6b3a45687fa95f08ef92b761f9f61256

SHA512
8f9bcc693c900611024681c58b0b5989dad48bf4473bf0fdbe22ce745cc7fe899363a32ea281d7f13553c9382cb97a3ba2e5bb0c985c0c3951832028740d2700

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6baaa5ca027f9c8cfccffe81c4e38b64

SHA1
a670490760f774e6f1f7355a60572288a9cfb586

SHA256
6bd3ee6d1652345e16e9ab565bd0eb910005950e43c97c282baa493657cdd2c7

SHA512
a2cf1347f511357e098763ecd55f55812b46bd2d35a064cac6240d8f48c4ee74772f04c213d3bb1e6c4c5e2665b139ec3dd2c3b9f7612a9578800be5346970e0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
451e62cec2ad4f736cf96bf5b0dc378c

SHA1
b664d56c6dbe29eb6097ef1ae4334a7b8bec4584

SHA256
3f1133b1b5a76d5c0ec218c72a2a0957bfc35f5a4c7d35c13b23f895995ff215

SHA512
a967c469405606a74248b1e112300b9a8d3610b44b68e8adb31d759834153aa2902bd17e5efadd40efcd7c051a46fd1020ccda65d819dc89a2f5832e36ea550e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a1172f94cb670cfbf84512446cd6aec9

SHA1
cb0b119923442eefbdffea9f24d43f4f97d84370

SHA256
f184b6a2908f387a67a277c996d6354fbf763c887cc39434117834a0e02fe43b

SHA512
0e80c92485eed3c5a874e89b29c3442447bf84a17b0039c9c68fd7ee345480e6c7b9abcda9fbf029c4c468df67b0f1b085ed84b8ef8bfaa4cfbfc6e8dc03b24a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3b6fe036024be663c8715abd3c1d201e

SHA1
d0035b221380c3b5e56923ed4160ce4a5aa77002

SHA256
d56505d87bce153a62a2b979aa2eedd41bedb95e8720ead8f3596971eea246b8

SHA512
14fcb52e510abeb237678296e058f6fde94adbe1253a800fb5618540eff5d321ff1b64475ead94061bd67d66e3bf4ca6033f48122d73931882889fde98b04421

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
31382bb0399508256346982aab5dc0c2

SHA1
fb69f17e33df39af65b0d604a35d10d39c60d22d

SHA256
e7dd65485c06295c0181858592dfe46e7cb27bea27af1d9a1298b2f3032b33bb

SHA512
b9bb08f11c02d606dd7654188e0a6a7d408a601a0f26431d16ec4db9580e762018e104b210f3fa170b084a20d1f4ccb89afdeed74bc5e46de018531dc4cef2c1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
79a9b3afb79db5d49fe0b56359fd1fab

SHA1
2d8e8a44ef4dc6413c40019197e59830658be68d

SHA256
a2a6eec90b549e34e2e0a84dbc8ad006423d106e656888f1e1ad37dada05fe15

SHA512
5d9c8b74d82b000b01bf0a7ad57ee3fc2d92263cf561612de3b67cbf6c2adfe6b45460c9893e3f9b0f781f4db9cd9a3a5085b4f42805fea3791962458691603c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
7002ba44d054e6b7c8c52adba9d9c99a

SHA1
39dff67689dbd222be00fadc49ca2ad320de8809

SHA256
110b3c0eb92be6df153fc8c8c5a3c9bfa1ec3f970e8708b32e63928140170232

SHA512
ea458d3147e9a2119abbcf68fbf06d7236e075a498bc4f1e8fef54dacd7d9844c96a96787545020d9bc20245e1878ba7ccc696863ba99af490664c48d9b56485

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
38ca6bd57e795c4a77c7f0704e31eb04

SHA1
1d7109cc4ea3a40bd14fb5fe613abe18fe3584ce

SHA256
5f5ede6706020815796dd21c78546fb0875d1b6d97153af3525cc773b1ccb616

SHA512
08fb6cc015762e048dc240e8e1febb7c8ab55664c7d7a8622e72d00bc29dff4eedafd9cef396d40a349e9839a9dbd89410dbacdb9e72133120f762bc4521adf2

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f93989803d9b7b145186eafad0821122

SHA1
2f51c6457d97d5b9d5049880945e5de478d8f3d1

SHA256
cdf85e33013c48fd27b594a6e6c63d4effc571e0a73c1899f13b6e421ce120b5

SHA512
9e3a7fc0af1a48ede3dc49439c3fa0577aacfb9ce3a490460d02c6f6346ac2683a25cc4062a2b356bee4aa8c317a201b5c127dfc7f3b7a1e89b8b6a8bca39d1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
343455aec59469fe839d0422fb559f36

SHA1
2f445cc1d1ac4e65a7396eaf75f84d447eaf880e

SHA256
4396094beaceba81ccdca1db9c4c6e06f6cad6ff580d4cbcfeb935cc41843fb9

SHA512
8688ead0b203bb375d41c712078cf1b752c54ea3897bcc7636dcdee3d7eeb21782d440977529c0faba25cc8736007be18b515a50579413723d22afb97fd67da4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b1281c26a7de0a2e7924f0013cf69d12

SHA1
c0d2f93f768b8252a5ecc421e7e4bf44ca0201ac

SHA256
f7c287386822d02b776c9ec0dc2f845e4a26674020f73fec0e3396d2babaa47b

SHA512
05ae059c9fbc51424c9e7d2044dd1216642fbd2c6f7bddbcec948746332130b6f6117a827e6bfab6efddd448bc3aae0e4ab9c6002f93ffad78afd893082960ea

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
dd7a044bb22136e85285d21163fdef66

SHA1
1fcea0d904998de1bdea9cfa654a50c20b3dcc5b

SHA256
b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0

SHA512
67afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358

Download Submit
\??\pipe\crashpad_2136_ZPJOJUATSEIOFWQI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-30-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/224-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/224-39-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/224-766-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/940-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/940-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/940-338-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1260-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1260-771-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1352-353-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1376-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1376-22-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1376-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1376-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1376-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1468-340-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1468-452-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1468-71-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1468-65-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1948-343-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2200-342-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2480-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2480-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3104-352-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3436-346-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3588-348-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3836-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3836-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3836-74-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3836-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4072-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4324-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4324-88-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4356-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4356-568-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4356-20-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4356-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4424-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4468-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4468-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4552-770-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4552-355-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4644-351-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4848-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4956-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5032-341-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5112-344-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5116-769-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-339-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5116-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5328-540-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-772-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5584-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5584-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5660-773-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5660-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download