31f472731dbfaacb7dcc089e269b8bf45b04795f6ee16b78ab68560e62594469

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
Size

5.5MB
MD5

02ae4ca8533471644d14f14f7c4e0aa2
SHA1

9fdc1ce04bfd37554219bd5ac021ac9336669f37
SHA256

31f472731dbfaacb7dcc089e269b8bf45b04795f6ee16b78ab68560e62594469
SHA512

59342d656f49c4007ef1794990f7e0eae2eedb3c5ce4d87dd57da5defb74ef5957f20cd0eef98357e2ed96f1998d11f51ab212a38456d626dc62a30b7f351f80
SSDEEP

49152:vEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf4:LAI5pAdV9n9tbnR1VgBVmeQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2848	alg.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
2940	fxssvc.exe
2184	elevation_service.exe
4188	elevation_service.exe
3644	maintenanceservice.exe
712	msdtc.exe
2444	OSE.EXE
4372	PerceptionSimulationService.exe
3716	perfhost.exe
944	locator.exe
388	SensorDataService.exe
1620	snmptrap.exe
1984	spectrum.exe
1152	ssh-agent.exe
4400	TieringEngineService.exe
4316	AgentService.exe
2940	vds.exe
3408	vssvc.exe
2800	wbengine.exe
3492	WmiApSrv.exe
5132	SearchIndexer.exe
5508	chrmstp.exe
5632	chrmstp.exe
5764	chrmstp.exe
5880	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b7ad7d75293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c12ca3839babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e27d73839babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfce43839babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb2cc2839babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fce62839babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aa6297d9babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3b91d7d9babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5112 chrome.exe
5112 chrome.exe
4832 chrome.exe
4832 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5112 chrome.exe
5112 chrome.exe
5112 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
5112	chrome.exe
5112	chrome.exe
4832	chrome.exe
4832	chrome.exe

pid	process
664
664

pid	process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4384	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
Token: SeTakeOwnershipPrivilege	4600	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
Token: SeAuditPrivilege	2940	fxssvc.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeRestorePrivilege	4400	TieringEngineService.exe
Token: SeManageVolumePrivilege	4400	TieringEngineService.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4316	AgentService.exe
Token: SeBackupPrivilege	3408	vssvc.exe
Token: SeRestorePrivilege	3408	vssvc.exe
Token: SeAuditPrivilege	3408	vssvc.exe
Token: SeBackupPrivilege	2800	wbengine.exe
Token: SeRestorePrivilege	2800	wbengine.exe
Token: SeSecurityPrivilege	2800	wbengine.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: 33	5132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5112 chrome.exe
5112 chrome.exe
5112 chrome.exe
5764 chrmstp.exe

pid	process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5764	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exechrome.exe

description	pid	process	target process
PID 4384 wrote to memory of 4600	4384	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
PID 4384 wrote to memory of 4600	4384	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
PID 4384 wrote to memory of 5112	4384	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe	chrome.exe
PID 4384 wrote to memory of 5112	4384	2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe	chrome.exe
PID 5112 wrote to memory of 3432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 3432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4984	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 1872	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 1872	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe
PID 5112 wrote to memory of 4432	5112	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-21_02ae4ca8533471644d14f14f7c4e0aa2_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc9c6ab58,0x7fffc9c6ab68,0x7fffc9c6ab78
    3⤵
    PID:3432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:2
    3⤵
    PID:4984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2032 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:4432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3784 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:1044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:6024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5508
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x28c,0x29c,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5632
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5764
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:8
    3⤵
    PID:5412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2388 --field-trial-handle=1884,i,11348479520511727915,11119112043117879237,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4188

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1912
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
18ebd85e56d3409c1b38bcb0d6e944b8

SHA1
3c84fc5f4816d7f7b0adde1106bf5648222a68ea

SHA256
d1287d74a8588055c3931461ddafcdf01f55f3df312a02d9c25d5ad2bf02c285

SHA512
f0ae24da0ee872c42a73340736582106eb68a0a29178324411fe0efb88e831ef723a9f56d1a3bdcf8463a962b07a3b7baf037549c37e592e1db99b80126e211d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a71e0cad9829f48236bdebc699530786

SHA1
38c1454b768e454d32c3e05254c7c2f85ebbc686

SHA256
aaedcec83d3dac97187525b09bcf70900392a0d4cbffd32a621139cb11cf72a9

SHA512
140e63f0e08f20585c48fc0d2961982e6a9b74f63ebc3b4faa993fd9ecb266318a00ce7e49820ec99f7dbb6d8458ee6e01cf360ba9af442b4a3853e6791efcb7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
019d556733a25c15d4fa74474227c2ef

SHA1
8ac6e54cf67cfd39cc00117aca2f5f3744925037

SHA256
b64f68f8bb00c6892130558016a9cda0ca9a48b6a682aaef226f0e14b9465bb7

SHA512
020cf71f67833cda7a6a7806ff548f2fd786ca3267e46202f6e89ccd88d03c91c964c4edd7b3581e15491d69e2f84ba15f77e7fc956b7925eefc7b6ff61190ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e26b213a9593e981f1952a2959f4a62d

SHA1
511359909b907092440491b9ff95dcfc2ad45d06

SHA256
568960cbf22dfc237ae501a71acf3b7400e07b40a3c9cc548295f831677a59e3

SHA512
3799536d822402078cd9b8a6c28b2d9fc90d0feb9ae804e4b85af6b0ba7423d689dc6983d0f3f21490876bb60b4e99c930110b0bcce4ac525bc4f85bbda866b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e7677887bb2aecdafaa9e2280c630052

SHA1
afe1d31b736f5b473c3bc55cf40a477b631e1fbf

SHA256
82b1815b92d6e25ef09085cb3627b0c085f35a914043a6f31c21ce6f85efd221

SHA512
79a023d7dc4b8dec293cfaefaeec1d3f715e96098122e56b199c5f2ace5023dfdc7f3b05a2730cb404fcecfd63e78e0a71aed64d43fdc40b3d37f6cceaa6a10d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dd136dfa-474b-49de-8006-3acb1f69e27a.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\07a2c302-a2f3-4f49-972a-7e1ab6532720.tmp

Filesize
16KB

MD5
54ce0675dad7479c5f80dd2d64415392

SHA1
3d3d6c3d360bb98f1f16ec489510e39c596bda18

SHA256
b083a60841acf1b0dc1ea14e67182c9d0ac0a54da2e13cf340e4cb9df539d2b2

SHA512
2de39e481d61e5238388a23da68ca40908730b2586a2fe2de6658eb344883e96991d256ca34af9490471aa49ca5d6a010740dcfc767a49c7973a161a036a84a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b89e468b95d0723706c6f2c566b59b8a

SHA1
17a647c93caaea65f47bb2201f613d19b8bcfefd

SHA256
aba0d8a2bd8bf982fee2f379a367bf1d12a101143a36e0f1fddb968c4e986b52

SHA512
225fcddba481aa0c7cc5fdd69af53ce30a02dbf95822b7f1539531cdfb9194d15b51af1636d218417719bb94a7215af81fc67753ab85fbf89d7e3f448d6c32cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
a0747fa9cb89fe65cfd9ffddb1c9385a

SHA1
2630d19d221c9805deb596f4286ef92acebd4828

SHA256
b41ad1423317e338b3260106762c78fd9c24cb70dca4bdf1ff5756c7fa96f462

SHA512
caf7342bba073f758c266e5603f5352b22e001b8ae247a31fcf1d8e26e11a82312fc907a7e51c2f449781838f5c846006e87f4c19ce5fc189cbfe33a3c3f9870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5786f3.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca75e888-4c9d-4c74-bc24-f41eb77cff49.tmp

Filesize
5KB

MD5
e4f78b67e9f328815de736418fd0cc26

SHA1
215a36d777568b1720780fe81dc5e018fc2900e3

SHA256
51e052433d043911ecba68a6e9a1e6497afc4f65d3b4aa79f801095ee241fe79

SHA512
03d7963449299a6780ab234f25e17469ca36865658ff4fe10bc84c0f4150172fb19e2adf3c57e5c3dfdcf47dbe342745f468dccb546b822943a6b392cf10b927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
2c6c311f31ef626df8436f50f284ac5f

SHA1
3c2f734629a3e0197b3c46780c105cce48a2921e

SHA256
6b142d0db0c9059710688ffbaecd1c446ac7048fc3d62ab95d582241a20bab6a

SHA512
61414556828a67bab4ab291c721ba2598a97a2ccae135b57cd3dfacf543d0ae228fa929800720dde5c6fac8a0be59344d49558a55c7711db6e327a1cabae305d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
55482bf8dd2b4c1c458630c795483009

SHA1
8ede84a7777abbc4c01e89ba902f6739bae46bb9

SHA256
3c09cd9696f09eafca89f2dc2adfb18fc0d74064eed7a669998a6724ccff7b03

SHA512
50c44068a9c7c9c68eb3a9e960be63eed212cca0dec049df13b6b1e0f2d6ca76095d2184e11e07c6962c13b39248ce9fe14c56ed6b45b41bce96b901128ead42

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
874b0b1fc7f2d6f401b143a914cac9a7

SHA1
4c99e454830bb94e54386bf603388d3ec745863e

SHA256
a3d7d4b8112b5ce4b438cb91b55efc40c146a94a0e2a6addd92fa7668fb3388a

SHA512
cf5e5475d251c572bd7dc09fa37207ce0900b3042f8c78e1a51b6d3d0490b90b1cc5351f79c21d725581fcffe12e510f4ffa2f34d6ee867967f67146595d62ac

Download Submit
C:\Users\Admin\AppData\Roaming\b7ad7d75293b476c.bin

Filesize
12KB

MD5
3ccbb370076f64057f5c62e420646147

SHA1
1957232dcc292bfb37f520dc8bd4a8a2811426a8

SHA256
bf3126c73da54bcb2dc9c33a4ac7efe61cd62460feb1ac5650ac367f8c981521

SHA512
9106a300b1d5dd1e5e2f4082eeca8d3067b4f0302965c6434745d92bccf095d3aa1906ade6812432aa49209bf2b87960f06f25c26380599ff3d4a44fb03df7c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5d98e6166c523d9bb7d28d914c6499bf

SHA1
68822b47c16a549e933129209da62c8368d9dc94

SHA256
b58518bea1fbde5fd97109350aa09ece64ad4f0e742d25290976ff3d66649ba7

SHA512
7a673f9e4f135a33103c94b7a90ca017acb62d0d1d2f1021c7ac43d766a258f0a77569ebb799aabc4cfc7d267439fba80becafbb67cba05c84e220dbf6f3d1ac

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cd08d8722e347489d52cb1c29a6f1e32

SHA1
fcc4a7a93f05ca7627cef145a0c126fc33fe47ff

SHA256
e00ad15abfe858cbbbd3de6ef9814846225dd7dd9cc1c618d797b75f5c24f77c

SHA512
682378d4fd97da6bc9bc73631dc631b3df6830578689cb8bd17b8b029148a929fbca3fab1bf63f1cc79056f0063c496ae4ec56ced68a6cc6549bca2e1c874b6c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
7c808e07c44772753f9fa99e6cb169bc

SHA1
4b3766e40a9332e94f33da82d9cead6d6d37ea4c

SHA256
3316dd89b97a9c43168d0fd45823d4f2e27d73f4d9f96c74807b19b4c2153a75

SHA512
5eadf32efaf2a3438371303fcec2fde5cfaa15003a408e5a70569329006b49dc7c71c6d62d856bf83fd7d748c286e7b913799da8d7159dccaa9b0cbe29e9ca79

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b3c08936e6ed4bc7b3972707b7c1f73e

SHA1
c5f20902bbc27501a94089714e64f8cdda6988da

SHA256
5ed719c2f53648a797c6058048cd1e8593736c32dee1e2e6d2faedb5a69bacd3

SHA512
c0db68bef1956b5d6932b3e7b4340040a7aaa9cfe2180176e9c481ae589e4f862fa4e3019572ab576b889d3ebe5832e55c25c8b9581551848862aea5d65de359

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
f03c9e7357aa9343cdfc9d4b9c284e12

SHA1
ad68df0c17c27c196b51133e6def2375319055b2

SHA256
351f665d25eb51e9355282599211c618989ed1e16df93f84bbc8edcc3f11baa1

SHA512
fdfae12195dbff6599783b3c4139e9c7cfbd415fbc77983ff3b9a6b476d3a5481046a16938c94d1c628224262e3c381f812396381517f561d3e6ddc63cac2c75

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3e15a1073712d5f5c32c9f2bca3ea073

SHA1
06a32881d5396befd3d16eb018c48990b08c2f30

SHA256
d787d7ae71f7ea6aedd7071cf317909871a2f1e675c292a0663089ed91101530

SHA512
65ff19f6eded8148c39152934e7533df926c26be48ae7406c2fa2dbfad66e933bf2e6501d74e915905cf671fe3378c6b5400863f782bf582ce1a3151f24c1bb0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b42f00c31c747e4e60d98b9268654312

SHA1
cacf0b9b7e779f2fc41f9b6e5020dcfe07c5b16e

SHA256
fdee6bfc820a015bfb50f40248be3cf06e02c5623d7202c5b485f4e0c1a10d9e

SHA512
2a11924996524cfe499e051327912d315b40cb7f1bc02118fbcb80efa726b1eaaf672970b68b22b82e9ba75c72bac82e15903d3598bdfb0d7757fd69776a2dea

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cda76cb1fb5b56b150668094cb4196aa

SHA1
c2d81b777a74c1cba755d2d0885394e7f337173d

SHA256
e2112c90011c6462b1d072d911540f6522ae344caa5a77f68c07dfb304d8c900

SHA512
f176b3ad5c46149cdb75842e0d202d8212ecf21969693424c64469ff85a2fa868efd17a00a32a1b71e4a7e857e05f433bfaea7032f8bba738ad28f6d780ff8f7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
339a08ee436b83d3397d9e9499714d6c

SHA1
a855aece2783cba2101e49ac9c4e6df338543fd3

SHA256
fa3ca6f021c559ca71757a88bd7fcabae4aec7d375dc0a549c42bb4513ea09d0

SHA512
a8f388e8eab628cfc116ff173d5d01db6149f316f6b94e5a95bf236aacfac00d7fb6db81fe5460312467e6167bef9f95acf9421b878984700c47d9c3a494b794

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a09782030e84bc4f54d2c6331ca2b735

SHA1
826110b374178e60a99c77a7c7815c97fb27fe10

SHA256
30a2337fd5c6c43d685aca9860b5f0571939104ec32f399653bca6f73613ee1d

SHA512
8c1ee33f5f05f6effac9e0b7e1abdc57b707dab61855196ff08675231babee93dde27f10e9432d4fdc3a8f09f9ebb239b9a13d6fbb2a617f788f5356c43639a4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
2ce7e4ec0dc8aaa291f75ad108a2a551

SHA1
f01d34280d7eca0b58cc22e3b90d03f2e85fe4c4

SHA256
1faac027f2524a6122cc57ccb9a7bd1f839f534432df19b85f149a4d2137ff18

SHA512
04b82ce1f457eaef1616968b09019ddeb382e2f9a08e9c3bd56147dd89419f6bda5e13f5b2728aa2a534bfc3dd8c6792d0d4d31b636d7a75f21d219567f54d20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f2f8f9a706e4325994119c337c376ccf

SHA1
6e0b44884adcdbb23d66534fb4ab554ea3ba32c1

SHA256
2fde0fd031b68096014e35540a5ebe623bd63766f07ce4d01fef03424d0f5dd5

SHA512
7971c1d593aae4c2d6cfada6b05105d64e6fd424fd9c5ae62ea9c4785299ad5c800a1d0b31bcf5a1f2a079190405d2114dc159110df0eb17ed556746c8b42e16

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e51110301fb71ec2c294204f1c87ca76

SHA1
dcea65f1c2d6e960aa8800a975697823d37b4551

SHA256
4ad978f6de643a6044de471b659ee56aa9f7c47903cfdc43474a1bfd729b9204

SHA512
6843ab28e774cc7b6c98a1422b07497c13646a70b7b73937f12ecc51f1fa1338188acb97f2fb445699bdaf45579307dd75a4f519d39cfe6c2d7e8baca691cf55

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c7fbb7ce866a48e307cbf31b17c2c6f7

SHA1
c124a4ef2f7ec703939b0fb95a4b75c089c356a0

SHA256
7fc4ec757aa33e0bfd65b71208fbb8dd1b3ab159e7726aea2cde266bbbb2b8c2

SHA512
404c60529c3e02bf9b6884f371d4307b880b27093f00b77b48906ee70625d996425e091224aae6eabb63a79c369e344b857dbfe33392587d3267ae8d19d2d461

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e33127219de2391940d3f6337c5d28a7

SHA1
4be82196f366f973cf1731f93348497bc00a477b

SHA256
1d646ac8130215ab70efac11926ded0a190acccc7292e40fc9a4c7e1884542ed

SHA512
f3eb421258b1b5e473d4135a4a3f917106fee65ff41f43eb0838033d7119300517e5591bbc4678a74efc849eb22d4d7fefc662faa65ab18fe8d8840d5f528935

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bb26c118e7a24e79b7b24d84975cd4aa

SHA1
666c981fdad106a6e2b4d8e213dc800a81f2c959

SHA256
275077d9bec60eb76c9a84183624af9493381ec8365a8f3c42f71afbf93c8257

SHA512
953bf0c1807c97958fe572f73b8de3f497a06cca1f6f980965852e1e121660909343a71f95b85a9fef08c23f2cdde25c4a68bd5e8089db885910a17ab0a27f09

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e60e94d8bb50421ddb7a5dd3b5a3c291

SHA1
12bb5d62a51c5112a9152859860b096581c39552

SHA256
f090d245b95e0e65581d8c0a349aadfcf49f375beaff2b3c8f3ff34e9ca57bd5

SHA512
b8042f037ee82c5425d0e7f51f85544e0db6578594399d397f42c10a2029067f8869b02fd916bca979e4297bba740ced3a3aa8cf6aefac39890343c566534cad

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0a46a8969491646335b7611ccb6af958

SHA1
852ad8b844f72a7c996c0822900eaccdd82850b6

SHA256
ef7733519b88562801fd0c98e985ca830339cabef142c08ce182f45b7a84c044

SHA512
97d90fdc634db39958d8b50956787a8eebd5a27a2c152bebc227c27a736384deab1092b57fb531f8e5eb24a843a46e6a3e39a458da518827676c0f2f043d3b37

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
\??\pipe\crashpad_5112_DQQPEYNALPNEPQEZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/388-517-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/712-102-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/944-154-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1152-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1620-161-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1984-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1984-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2184-160-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2184-56-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2184-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2184-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2444-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2444-425-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2444-93-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2444-99-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2800-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2848-23-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2848-183-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2940-254-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2940-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2940-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3408-255-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3492-257-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3492-581-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3644-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3644-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3644-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3716-456-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3716-142-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4188-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4188-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4188-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4188-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4316-196-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4316-194-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4372-106-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4372-443-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4372-114-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4384-24-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4384-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4384-0-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4384-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4384-6-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4400-190-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4456-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4456-42-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4456-189-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4456-41-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4456-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4600-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4600-141-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4600-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4600-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5132-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5132-258-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5508-411-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5508-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-429-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5764-477-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5764-454-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-465-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download