ce04271867ddaa107a2dc99afb13d146879d28b093e8afdf162f3a75cca55d44

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
Size

5.5MB
MD5

d2eab9e5791ca50f1c6ff62caa056dc9
SHA1

bfbe3973ef78d3ad8a3cfc4a4e87b14472e07495
SHA256

ce04271867ddaa107a2dc99afb13d146879d28b093e8afdf162f3a75cca55d44
SHA512

dc0fd1abca31cec80daf126b13fc5e75d799b008b27783515ff28ecc01dd43a794c5d62e3ec382b280c1c92769cd789337bea10bf50292b8f6db7e9aa933ae33
SSDEEP

49152:0EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:yAI5pAdVJn9tbnR1VgBVmWB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4688	alg.exe
756	DiagnosticsHub.StandardCollector.Service.exe
4716	fxssvc.exe
4724	elevation_service.exe
3256	elevation_service.exe
4824	maintenanceservice.exe
4644	msdtc.exe
116	OSE.EXE
3652	PerceptionSimulationService.exe
4708	perfhost.exe
936	locator.exe
1056	SensorDataService.exe
4892	snmptrap.exe
4116	spectrum.exe
844	ssh-agent.exe
2180	TieringEngineService.exe
3504	AgentService.exe
464	vds.exe
3996	vssvc.exe
2316	wbengine.exe
4128	WmiApSrv.exe
704	SearchIndexer.exe
6072	chrmstp.exe
4724	chrmstp.exe
5540	chrmstp.exe
628	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\26a0392ab4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

maintenanceservice.exe2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000868b2499f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000940b50a3f8adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0078ea3f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe446aa3f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008460a599f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074e267a3f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1960 chrome.exe
1960 chrome.exe
5176 chrome.exe
5176 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1960 chrome.exe
1960 chrome.exe
1960 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1960	chrome.exe
1960	chrome.exe
5176	chrome.exe
5176	chrome.exe

pid	process
656
656

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4736	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
Token: SeTakeOwnershipPrivilege	3672	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
Token: SeAuditPrivilege	4716	fxssvc.exe
Token: SeRestorePrivilege	2180	TieringEngineService.exe
Token: SeManageVolumePrivilege	2180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3504	AgentService.exe
Token: SeBackupPrivilege	3996	vssvc.exe
Token: SeRestorePrivilege	3996	vssvc.exe
Token: SeAuditPrivilege	3996	vssvc.exe
Token: SeBackupPrivilege	2316	wbengine.exe
Token: SeRestorePrivilege	2316	wbengine.exe
Token: SeSecurityPrivilege	2316	wbengine.exe
Token: 33	704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	704	SearchIndexer.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1960 chrome.exe
1960 chrome.exe
1960 chrome.exe
5540 chrmstp.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
5540	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exechrome.exe

description	pid	process	target process
PID 4736 wrote to memory of 3672	4736	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
PID 4736 wrote to memory of 3672	4736	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
PID 4736 wrote to memory of 1960	4736	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe	chrome.exe
PID 4736 wrote to memory of 1960	4736	2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe	chrome.exe
PID 1960 wrote to memory of 4668	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4668	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1000	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2532	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2532	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2280	1960	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_d2eab9e5791ca50f1c6ff62caa056dc9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e577ab58,0x7ff9e577ab68,0x7ff9e577ab78
3⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:2
3⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:1
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:1
3⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:1
3⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:5940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:4724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:8
3⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,2566193530053023941,14120746864701338603,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5620

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
6314070173133632d21c161ab11286a2

SHA1
d3c497f083a52610c7bd6d5ab938af384a937818

SHA256
29f91660820473af86fac6e5b6e70f355ef5f76629789262c8cbabb4d0c908c8

SHA512
f81f783666dae507d0d49507d1a496334db864dd819de938adad04cd7dba83c0821bee69f4713179b1175bdbdb235d323c19864929adc5a4cc81ffd1b7ee9cb7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
207936230444236c22f5b189dacd802c

SHA1
75a23f1be8c66dd6ba8fbe7dd55a4728d7c3d2e2

SHA256
9a8e4da00f380398779bd71223729044216b157bba65d6055a2f70f9fea3a851

SHA512
c5ba2d556891a0b806c51d848376e7ede0f8aeda3f13553a36705ca58653afb853e21c952d43e46a57151640ef338eb2b20aef97bdc9569a5800cb84da846234

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
54b1fa775121ada44668f1d71f389dda

SHA1
34271de9d6aa3e655d499f6b2341a0c54760320e

SHA256
b603ba7454933ddf94578c3301e06bb44d5b1f6e8c961e647d84beb66de9c20e

SHA512
3a2dad77536a3d0c3b0cb81e5437a92d41a4541ea9f6f76a30acfeb39b3f8f0979430831d4ceaeaec3cb0ac75271ab8615f3f46c1dfef71395e1b97e01480a72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
683a36803f031b375133192f19783141

SHA1
d85c6ff4ad0042e0d07b04fe20486e425409b420

SHA256
71ba853bd8123501bbb1298c53a989e0bacc13531358dbba2114ae1fe3ebba22

SHA512
0ce472ca3290f985cab89004193f02586d973a9f59006442dc180cc8641b0ea92b26df2369b28ddce04224808cee61c21adaa4117f92b0e71e4f0109a1955eee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
2aaf8312613f2028d5156e42da508b46

SHA1
8d9d2bfa9de7284556284c8681c5fb2d799a7a9f

SHA256
75d5428a459fd527d4609b12a94842cfd2b0c3f74b9d80926fc503612e37d5d0

SHA512
ff4cf875ba2484a43429aa5ee45ce227bf0216a1259b8ef56bf2c1aa5a82290c29190599b193a127c82ba6138396f64f7bb337fd8de25dccb6ad1876b496dbd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01ed5d7c-2252-446f-8a04-c0ed5ef9b011.tmp
Filesize
16KB

MD5
70ecc32014f7d8f1fb901d70b7eac601

SHA1
3d5c005e5bbf30d8a456bc5fe4b8cdcab2f5c99d

SHA256
2782a09879ebbb6667f8361301d7034a55529a5ebd9567ddf1d5826029d40003

SHA512
563171353db0c9ca5acd6e1083dd60e0d0b4c18276c333387ff411ee81ad40360b34194c4802bb2ae2e46e14b34f6e629fd101151619707ab4ba001b86297085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\90bec40e-a48b-4c74-8453-cbbf2801c89f.tmp
Filesize
5KB

MD5
a7721ef7dcc5609b9619c50a5409c7a3

SHA1
e570d5e9e30b96ffd72b62b17bc82e756e143da5

SHA256
d9d33ab92e764f5ea30d5975fca0e465f3e4642fd743a88b378ef660652f0f66

SHA512
0b5acc716f6dff72063819dd0948ccf1f63bb53bdcd6839c0d92bca6cd4be39e04fd8e6eb43db9fd157ace601231216136944f130972f6b198db211366a424bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e42bf770d287412bee16cfcd6d4a7c5a

SHA1
24eab1b84b3bb6a43d254a831fe7ae6954578371

SHA256
0fc42d0499716935ef6b9ed24ec030a479d5ace8efd6b3aebaf4c5cfa87249d3

SHA512
f8efeb76df0d561f49947d29ece58924a405241f77f80768d68e904c9a1c1587e5d05ee80b9b636a6c39fdc91497263a0b05d288271bb817a3f6dd048fdda7e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
004fbadd21f3b18cdc36290f1dc70009

SHA1
b2919558629177919048f81fc0b5ed81d899df77

SHA256
ed44d73a8509449697f0885af405ed9e07d91e81fb445cf13abbaff6f4827b0a

SHA512
c2dccbeede401fdecac903b7a9638ad3e74b7972f666bf99b928af593d7e06a0e00ec1f9b539d90b8a95ae1c5119e1bb97aa782da207b4facc4b14020139a04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57754f.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
ffae046f0cf5d3c11abe94a555606e3c

SHA1
1e98c358c6df938aaa3ac1d16fb20462d7018429

SHA256
9cf5e2597edca94dc9a31beae906ad504e25ce6e3b03d68632eb65587d36c870

SHA512
155335ed2e98de6cb217157db0b61646589d3af20a6e0c40e32b71fe2461fc35cbe4acc5bbdd3a6a5fc1b7699436486e2a4719ea6acd9602d4873fd27da690b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
7877b2de8532d2916315d9f1587b140e

SHA1
0af6efa8bbbe411f3ecf8732943f73ad0e4c80fe

SHA256
cbc0b71fa3df18074d7e0251f274682dad163b31d2d41b19c18ba56c8005667d

SHA512
2e4ca53959cbc2ee91d483e1fa6221f64c8d781655c554301bd6accd03d76c8b4955e6d3f1cb16bfa27465292c502da7638045122b2bb71bd7c763865ffe09be

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
33910ebbfdba81c87e93bb2a2224aa0a

SHA1
c9a578480b308cb9dc7d0a7133be5e2bb136f152

SHA256
f6598b7c5b5d10f0306aea2e23080a61cd7b5a03f7e22fea62c1d1ff623613fa

SHA512
1eb8ff3eca59be98ccde808b2336ed04b2844a109eb3c66f23a3205cff4df828210e17913f1a70c1e57cdb77d0e139b1db02b5aa13e109132eb6a2f08e92954f

Download Submit
C:\Users\Admin\AppData\Roaming\26a0392ab4b1389a.bin
Filesize
12KB

MD5
4c926aaeb6ebc1b58d9b770a3e9edaeb

SHA1
9a28c259c8d6b5f1f8b8cd6e1c1081ad66db9179

SHA256
e401b8fac088d4076d8a8b9b604a349a0a33ee2eed7314542f5f20a2a90faf55

SHA512
cf319b7d7f209daea8ef5ef3cfadd3dc6dea690c6a899d5feb99b8a61b93647043fb23d3b9db2ad4613382467b7326414d6ff0190dd5e754805e837458c68b26

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
f6c73951d9430d19efb17ee90101c190

SHA1
cfc44d3441a0193b76888dcbb1cb37fcfa905a1b

SHA256
0929a115e69545009055e0a32481101604b9adc31ef0907637ba26f518a6614b

SHA512
f0d095cf36c6a0ecb2459f725915658f4274f445eb68dcf05f1947b2987172714c81321970a10a93519fd4ce46f84f633ad785e4a3bcb3646ac2fa3931d702d9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
27d3dc7ed3736043093445b2b932f294

SHA1
385bc2e3efd94b1d4c166de8fc15ba0e1dba022e

SHA256
a0c02152d58ca0fc245a8ac9d30250499b0e4974a5c7e262ec468787a30e7b32

SHA512
ed0dc89b1ee7bab0c83d84657232c8e2037adcb322f55456f8b3149108a3a1ce94fdcd2122cd647ac0afdde2101a5a03ed183b11a91ee6e6d486c369a1d2f62f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
32dde4ea7231c68a756ba25af8d5d904

SHA1
f20233e0ce90307184ab1c03b1794f24d125eecf

SHA256
df4a90243ce9b1bf4fe0c007cf9b0ecceb6060b38269f1ddd100138837b55347

SHA512
008d64d526a93c61e646f5918bb4676a4a3861df348823b789125e9278b9e7e2dddced219692f7ac97b6aacd717ad28b6de6886066629637175b91bb02aa5f07

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fd0e6b42889214e10e6a0e9643fdfe88

SHA1
72041dce70042024789ceb97de1bcdca39042159

SHA256
4da84a3b03a680d317bbac584536c5a2c7167823983237fab3f7af36ce6f66d7

SHA512
ad2238f5fa302f363831c7032dd5cfa56b0d77a7b63a821a153f3ba52601945d52b5855df2e9079dc51c3bbd2293bd198890c052f754b7efd6036dc2680ea3f8

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
42b0b1382c5496e8706fc5a21fe38f99

SHA1
d4947d7357356cce3d76f543a72132e01b5b5018

SHA256
618c0c488491a2e8a3c60553e16ac4505baaf3c92f3f0a13068d3095ffb33ee8

SHA512
6aaacdba6ea44cf7484d1a2fa81c0806ed8f58101848455e919b1c43279213ce567c3f79c5480cea4fe71a4fad79eaf05f879374f9dd157f8437f4eafe0ea2fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
87410b4f730eeb7b1dab8a0cf1c8c093

SHA1
940b27f4dc1e99ba25fe9a4ebf26fcc4df7977b3

SHA256
b1d18628d79fa31db0117b548c50fbe6c4af4f834f83ab500d62c99a692fc992

SHA512
7223697198acd1c7ff20b13f730e612e530f661fe00bbb35009f29ff7b8703d0968a748d4c6f114ef385e5e1ceaeb1ef395fea6b98281aa33e237549f0f1731f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
8d315f3925fd95ebaa51e2b0d09e975b

SHA1
479d24c7df71695a8cae06b77c4b1618101e5c15

SHA256
2ade9a2545908f8ff1dbe89ef74760320248ca80af446fbda7359d4da0f7866b

SHA512
f0ae7cf5deae66071a8ec7d288d8efe2238183d60fe8384648db61c5ccb7845b600510d6e223d6bed0722bdf9f92041136c0e93b935c02d40cc82be4acd66b85

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c09658a6f1f46ae8f448ce832ad352cd

SHA1
89263efa05d87105854ee2bc3980da26d38a0b6c

SHA256
4d7fade54dbf1a7f642ce23396911fa8084a01b05493f2657ef2e15fe2a4d033

SHA512
e545639e3efaeecfa0ef70613d06c5cf3062f05f94b18b8e85bcc236905b36897eaa3876729394938d7de729532143128e1b86b73724f96b70e3c274bbb98c47

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
100b42f316847590b932e25241854810

SHA1
c7a6ca47bc9e528a8a391de19a25499f9c2f7bc1

SHA256
e55794a86e60ff9d6d0550312df8b544314ca988d4c4f8c6fe83219a2b3f6aa7

SHA512
fe0d3c22108401a21b87a3dbea377948366c4279e801fdb6bfd012a2482255a02b078cd7e07316a09f33e40c0659f44f96de8b10ddfdc36a8f84dc5bd2c6f78c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e43123b69b52f575cd6dd68fec07b340

SHA1
f4639246aeba7539007d528c0bde3e9ede6e0c56

SHA256
7026ad7d7d4b08d1916fe024bfcc064fc8353b23a0181046c21be7ad47ae3df6

SHA512
e4a4ee156de08138f3378ba784da79d922518d5e91ed9d224f6a551ec7be9d4f610c967d3a3bc8017d4bf04e461290f6497fb89a1bf9ad60a2a7f8bd751a799d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5c231c9f4e74b940cad79eca6847c6cc

SHA1
e9f039d1cf443a175ecafe619e6561f40f4f9725

SHA256
d891152047da8ee0eef74abfc81ba3020d5baa87aba0620279751f84a2084bc6

SHA512
f14374e5a5b26669e781a4803d44e6aeba804a85078f6c43a75e9bed81514bd6a21309de2f4bd41934569699f8ae56a71dc589b09572bff07eacdd6a508cb5e7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d394efbb67274197c8233df23f581628

SHA1
f718e4c538e454fa9d224cb6905dcfa22b39c519

SHA256
d06e7a6d53708e924883fccbefc8858c6934e2434d825d0ac097ebe34e975c51

SHA512
6467f8f2623f043be2e8061a674e9bd7a7d65ba33953d29211532b3b7ffd4a2bee6f732bd44ff730319236bdf7bef230a818eca99931be059bbddd89db637997

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
a0c0f9864fea95648b586e3b90040c15

SHA1
928de2fcfbab15b470e4116506fdb7bd52e29d89

SHA256
8d6a4ba9df24eb240f99f11bc44efed410603255c3f4a7550e4c226a290a3d10

SHA512
7856c6f43dd0a73ddebeed160caba131ea0f2869785ebd6b9a730e0c368ac8c4a7fb01cd0f2edac52b4a3a857168445c04801d5abb43b7579e00718d01c8815d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
18464eb7b5cdc3bc11f302ee1d504628

SHA1
97f107e7012c20776896cbfc65a9954fa7d5c3fb

SHA256
f214603ecd951edeb051324274d88e48eb3c09fb8a67b9e1d4dbeb8537a4a528

SHA512
d6993e7e913b58eab832f21ab5ada26e832def20f4411fd1eca0f611b31936058f007513228f01b6e5ef8aff346a2944673963ada1d07ccb8c5a2d101ae98684

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
ee529633ad62b77a136bcae527520e46

SHA1
d53fd68412455210a553a3a9ab8683e082c08363

SHA256
47dbc96c8526a825437870ac8b62dfed6669fb221d1551b1d18de482a196c355

SHA512
ab38a73e4f0d736ef8114725920be1e73b5a7ad50304dddb4f05073e6be0a1b8f3342b0d2e93ec9c01b2f2b92eb2a0ca30bc27ac24fc2bf4da462fb2b502769f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c3f6677c6710ddea958b00190d7516fa

SHA1
794645f087fbbd3cc27e3d0ffbab5f433bc6de91

SHA256
8b3fac6924a0ee896510a1b76923d3c248e1dc06bc05ced4c07f2d1daba14276

SHA512
3b7f64b932241c5ab1b1388ed6e1ef2f3d07e3d52b23d906af54b844ccd1e49647fd490ef429a84ae3d28d7b3c2c4c0fcd1b82ef30f5c8d9ceae9ea70a5d6555

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c9124f968b6f748ae21e436f5991108c

SHA1
41ddf59ae9f5c1a6512f0486a43c592e54fdb127

SHA256
850731e64fcdd598e25b076697913cc4edefca7538d74ba8de1bc5c3836051d2

SHA512
cbe4fe120907e34d286d0cb00e1c9e9c7a4f902c272f3d854204bff92b09da855faba1c80b6d99290adea1bf7fee6923dedc22f0ead3643ab118921c3e69c25c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ea25215a40c6ca21f80a6f0b0e01b291

SHA1
034807f5bf55aee9a9fee9506f6d72ebd4af0347

SHA256
130832beb69a463d04d788e5e3505bdd26e90e59af5035e28d357109c57ac098

SHA512
a2e2f074f91c84c66d50094a7d30d69871bff2582fd32ebe95e08fc8b9093f233ff10e3eb22db26843f74d0a7e07574c1b6a08b059b27103603e1b8d2eec5d76

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
\??\pipe\crashpad_1960_HFOHVMUOSTSYQABV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-226-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/464-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/464-658-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-728-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/628-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/704-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/704-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/756-50-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/756-44-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/756-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/844-233-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/936-229-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1056-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1056-230-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2180-235-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2316-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3256-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3256-647-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3256-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3504-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3652-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3672-515-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3672-17-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3672-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3672-11-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3996-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4116-657-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4116-232-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4128-328-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4128-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4644-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4688-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4688-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4688-548-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4688-29-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4708-228-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4716-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4716-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4716-61-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4716-85-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4724-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4724-87-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4724-455-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4724-66-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4724-727-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4724-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4736-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4736-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4736-21-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4736-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4736-6-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4824-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4824-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4892-231-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5540-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5540-560-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6072-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6072-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download