35f1e1ed2a1e1f3c7f1299a2638cf1b29f3994c3e23af204276507b405402ef6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
Size

5.5MB
MD5

d8440771bf7006c4f3df035b114f31b6
SHA1

87cbd57469e03f6921cd4f3c53d62c3ce5609388
SHA256

35f1e1ed2a1e1f3c7f1299a2638cf1b29f3994c3e23af204276507b405402ef6
SHA512

ec6bf5528ecd7d59a00f0832fa20ec58a382210e9cd99d4cccd0759b60a27e5b2de5d4ce40ac8bf748782306fc0d78960699d728f43b90a478e086b8c10f6485
SSDEEP

49152:EEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf/:iAI5pAdVJn9tbnR1VgBVmY1Ms

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3068	alg.exe
668	DiagnosticsHub.StandardCollector.Service.exe
2544	fxssvc.exe
2804	elevation_service.exe
4896	elevation_service.exe
3536	maintenanceservice.exe
4836	msdtc.exe
392	OSE.EXE
3696	PerceptionSimulationService.exe
4944	perfhost.exe
1228	locator.exe
5080	SensorDataService.exe
2628	snmptrap.exe
3996	spectrum.exe
1004	ssh-agent.exe
4268	TieringEngineService.exe
1528	AgentService.exe
5192	vds.exe
5308	vssvc.exe
5420	wbengine.exe
5516	WmiApSrv.exe
5764	SearchIndexer.exe
5156	chrmstp.exe
3364	chrmstp.exe
5912	chrmstp.exe
3728	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exealg.exe2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c0bbdd138beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef8896905aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd661b6a05aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e094876905aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610477171940191"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018a3f76905aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d69fc6905aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016804a7005aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ba6707005aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2768 chrome.exe
2768 chrome.exe
3900 chrome.exe
3900 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2768 chrome.exe
2768 chrome.exe
2768 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
2768	chrome.exe
2768	chrome.exe
3900	chrome.exe
3900	chrome.exe

pid	process
648
648

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2576	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
Token: SeTakeOwnershipPrivilege	1016	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
Token: SeAuditPrivilege	2544	fxssvc.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeRestorePrivilege	4268	TieringEngineService.exe
Token: SeManageVolumePrivilege	4268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1528	AgentService.exe
Token: SeBackupPrivilege	5308	vssvc.exe
Token: SeRestorePrivilege	5308	vssvc.exe
Token: SeAuditPrivilege	5308	vssvc.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeBackupPrivilege	5420	wbengine.exe
Token: SeRestorePrivilege	5420	wbengine.exe
Token: SeSecurityPrivilege	5420	wbengine.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: 33	5764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2768 chrome.exe
2768 chrome.exe
2768 chrome.exe
5912 chrmstp.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
5912	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exechrome.exe

description	pid	process	target process
PID 2576 wrote to memory of 1016	2576	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
PID 2576 wrote to memory of 1016	2576	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
PID 2576 wrote to memory of 2768	2576	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe	chrome.exe
PID 2576 wrote to memory of 2768	2576	2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe	chrome.exe
PID 2768 wrote to memory of 4756	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 4756	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1816	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3780	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3780	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2620	2768	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8440771bf7006c4f3df035b114f31b6_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5501ab58,0x7ffb5501ab68,0x7ffb5501ab78
3⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:2
3⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:1
3⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:1
3⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:1
3⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3960 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4284 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:5804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5156

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:3364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:8
3⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 --field-trial-handle=1988,i,12213565089701231388,14958062758382392909,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5516

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5736

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f35f60cb2014a1b91f816cd31caccd79

SHA1
60708faf26143b09cfb83ef14c25abb2f60345f8

SHA256
35b8a17d03edea75ffded20cb458eefd9bb35408b002f02ccfa1d72bea6e2460

SHA512
f854700f58829835a55c254ffd15aede6b208c16c58f65506e88b91a924d27d54141529eb793998bf4f545ec0559e64c805dce5c0d0172bc1ba6966b38610a67

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
122aea62a612bf3c0105a7f692929129

SHA1
d3f346702f037ea60a51a9cc2d230ec4313a3f07

SHA256
c64c37c19b1f478a8f50e79d5f9f138c1fd6a8d87e34931ddf62d5d3eb671052

SHA512
609cde1881843902516c330b86e607800ab1e417eac6ddf44c12f76ea5e69baf17c16067fc0775c2095c2747e4cbeebbadf23994477cafb2e9a356d0ef45ea4e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0594497e80bcbb20eedbe3ef1848bd2d

SHA1
8bde8084e12a6e1c2a958c81a299448fce7cce13

SHA256
5491a8b768b9b96ec165e2d89131a66ffbf780c592d19c4a62973f8d365de1a2

SHA512
479a1a1a4291374c3dc41eb8fe9c43ed2b66bf90cd94776c3ea05eab8684af46fa45e87517a89ea4eed766e1ffb8df76c484b0f468711867321d2bfd8f078c80

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
d299e62054425b9f2eb67d5e2537c5e4

SHA1
90464ec4d485e73e757056d52dd0d6878d041206

SHA256
bf8e08f562b9a749bc69bcb3520bc9af8da129502693624bbd4671e3ff94f13a

SHA512
8e19661532b6ee26f5ebdaff7491af32b138c1ece625494683277155e38eba3540a8d2652775ac7098e2876da4c37801f8426ea5cd6b0b44d2096f2ea276e54e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ccfd65a497d60ea81eaa1cfffa61ed9c

SHA1
1cdc21c2eda9b42958bf93855df0f5a2ba6cf2cb

SHA256
67f69ecaa79a37c0f5f225511511bd317a336ee14f9ba105db13ee9b19d15c48

SHA512
71160abcd4ced8c4c19dae38634b50319297a967333a442f236090830b13b63f1409fb225b082e2e634278b974e8178875f3afa95a22252d00f2cbbeb2b82dbc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\5b6cfdee-321f-4235-855f-8f75ee3220a1.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d22f4ac3fb1a478d4b0c66644c6344c9

SHA1
902709565b8ab57b552fa63c965e4ee590f5775b

SHA256
7ca215cff66110b5fc258ae163d8b5813f6e3a60d5e179928026045bf3c07d9e

SHA512
216d3f24402fa5b7ddb50afffd12ab7896c901c4fdbaaa1cf2a789feadee8a794da77a80c4e67e3e693b3dd97286c59ea59a0dbd068d2ba34b642ca8f9d47d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
7ebd46b53cd5e3704b962c22422638a3

SHA1
b9f656f71745730fdc86d950805eec9eba456e33

SHA256
419c93655efccd07cf024607e4f354c8f9b15bbbaba529f1321a0715aabb53c0

SHA512
95864da6617c753b8016bc9865366284edfeade7054030617efa42434e6f2e8f9dae601db0b2ca6f5b223287e538a3424f8f067c2496d846af090be2ed7a1450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
37849c220aa2da2867198c4fa540b465

SHA1
c5161d952b5770ee0f51b10f3ecbac8567ef0dfe

SHA256
3d91d80aeb2d5b643ebe6d9fc75aca4ca6e4722e3961bd28cf12f89fd00b62b2

SHA512
a1a268d04df272cd833ba310e4f05744924e6688b9ef732144fbf08fc7a523b48ac4b0598101f62afc6c999886e50458c4af7f467a8e8d297f217f13c8c332d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575a93.TMP
Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9bcc34b93fdcf82d7efdeecf4ea87950

SHA1
1994ac70ffd74abaa2e9d75f5cee4f9204f99c84

SHA256
ad8f245c93eedd0f8ec2ef3eaec2f2b788d8f7a37550af2d706e1fb1e59328e9

SHA512
e310370a7d0b60b6e1758ce791be07d948d70413c1fa5e3f0cfaf97a9fc0427edf561c29cf3e34fa40825b6fbc24808e289bd997124fe0c2d261ec2d208f2c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
b33cc5e196e87856089c2f3cdfec1546

SHA1
7780f01d0eb5b8b256a5cce30131e4a37d6b4e5a

SHA256
16567bdecb06a88debde156cc2d6e06b0da8b9c6271dfd05324c32b3aca6a1a6

SHA512
6f09333a6bba02a021ea9ef5d41f3c56fe1c48e12d28c8c03cf0077c8c05fc2d04724ecc040aee12dc91517a7adfbc009518ef7ef594a2d0d628f4d9dc71b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
6216f214b95cd97a88f0db6ea562fcb5

SHA1
de269548db51f612046a82e2ee0ff500269b2cad

SHA256
f2924ad4fc905d7d21a4e83f48d1e851f812f6cf8a98e2370186bb0954bc58af

SHA512
515f1370e83db7138f08bdc1c1c9d1283ac80ff524235dcc6c1353a0736acbd80de83eefd4d8bc109005f3674fe13f6d72827c16a8c00eeada89a3a2a53d68e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
22bff3f0dd3a7fd5bb535096299dc662

SHA1
d84b4c5524c9efb114fe2d3a5c1e791045b9114e

SHA256
1df781ce708a81c188ef340af23c97baaaac738ffb1504a00b2150bcb27fa103

SHA512
f3eac1fadb58f054c83430d9ea45f1a88f5689e5986def86a6f44571ce7d8fff182fa410b95af58282afa6582f66cc885cde60ed23b0e163b3ca610cad30e41b

Download Submit
C:\Users\Admin\AppData\Roaming\c0bbdd138beeeac9.bin
Filesize
12KB

MD5
de3c75b319e6aad69e94439509157301

SHA1
5f9c1d16e5b9c489963c33da98d9edabf375fca9

SHA256
5ff71bccc8d79ffeac4c7b74a64a79ca3df5cec41aa53f89ea60e156d761ec0d

SHA512
2e13a7525a7d4131f22f40bf6861ee2e8859d93757c210340d0290f62bea176f4739b5ab0b71637ee76ca23ee640d7c86dddc9a834f75f830efe9b724042de6f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
528ad6360fce0758b5d12e5741cfab82

SHA1
2fecb6c890df27df6850f8ef0456fd595baf26f7

SHA256
52a4d03f1b233ffd4e96f7196cf9b49979b89feae06917d90db401c31a64c332

SHA512
e22949e943daa1539a2c8e037becd1a9b444a0c1c37eb97f576854607af9b1d07861fcffc7956adf2080473ff6354af10beccf33ca4124fafbd1c9dac6aaf80b

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
daf8795b9fba33fbd1c08a2d6613df94

SHA1
c5d52f73d48c9eefdda72f275250422d10a2f2cf

SHA256
cb822f842b5dfa87dde51a0a43cc1144f118cae181acd3384ba6a0f27e9e2417

SHA512
d27d930d4c5b5dc84750fae07960be57f5ebf343267698da694cf2284c49709376e5995b2655b809c235127e9cd3f9400028acd5c75b3d37a7810653fd4d2b06

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
dba88e175445f701cd260e7c4cc599d1

SHA1
0f6016b10cb72f4ff768c33279fea1e8a42e4a21

SHA256
53f7d6072cb7df2bfbea0c0812e0e371b5877a8803b6af129f05d476b7f17a84

SHA512
1bc881bbf6585b699d5f92b93a28ca3b9ea2ecac985846f262d79bbe8d87f11ecc21094e92933b22022b548adbde743ffd571f7e9df4b1a5743e158bf34cf593

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2dae5a5a75d4530b3cdb57180b6e45d8

SHA1
6cc1fcab4cbc29517a92778ce24efdd6f24fe1e3

SHA256
1334213b94d73234116c5213fa5dd4636c13f2e6e63a3f6ef5a0ddc2d92c8be7

SHA512
fcc50fff4781263787ddad06d4ea7f9342ab5acf1001424069432bf6d0a976672611f4bbc0d4829f174930a10db3c3e3a6a6f84e1b524970e67718fb6e4df4eb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1ed298fb716b95ff61141fe3a321900e

SHA1
d43170860e6992f91bb99878088bab5225e6d9d8

SHA256
fb746dd58b26077c69e4049ff18e56146a7ff3302005092b19a4b37b5d903ed7

SHA512
9cd8ee4e305e3fc87070a30d4fe107ca1970deb29eae2a81f3fe4a75a5b5ec1f401c0b4454fad7e6b511c108a1e3fe5fe4af4fb00fd2fda0374773ea9553e776

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
a15ac9642b2955ad905b4d019d4fb010

SHA1
dc19d8c2bf0bb8482446dfbbaecf713fe6d4877c

SHA256
562748090e40be99d5f877c7f06b4a235d340cd187c05ca213021baafa6f9b4c

SHA512
656950d7ce33a27037c841e48fa8d476b00005be2198139d3f52d01d37259d7a49a562aca493a4d0d7a3cea776fe1a6bd4249f4939720708d222caf90c182f52

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b4ec4717a64f9e706456d02d31b97518

SHA1
6571a6688254ea9ddeca831048241262dba2e85e

SHA256
1fe0d4a88161527523351674bf280c3fa4a47a5182de1754564ebe610caaa841

SHA512
640b31526fe8128cb48e36b916e138aea453cd5640b33ba132ffd800eda0b7182c36a7b23e9b63a5f05b92c5bdc285fd42d604ab9d4dcbaa3a8d4b52907248dc

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
08bf5c66ebf986ed677228adbcf0c387

SHA1
883c27f7057fc950eb5c49743665e274d54c9ec3

SHA256
badc4b16f86540b159ad9602abfd202cf5d79301632047a8b341cda8d045cc45

SHA512
ec818ce23d649e99aff933140c9a6b8a9ab0b2827db0931287f45233970552d36f1348ed3c8deb5478c06e5f784fe6d8c70910409bc2efbc3d6d3e5878791c8a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
eaf9665e767bb3f9f329aa263d139a1f

SHA1
a04955d880ecf52d699b375294992039597dd444

SHA256
99364582e0140c377dd5ace99e188146de00d25d935abd295c687caa0203c6ef

SHA512
3ae501a739e718f15f3ad6d0f6bd52cd9c28087867b6e22518890ece16a24bc19fa7229fc471778259b7f8780104f3fd649d852fb9507d1fb27092c049ccb516

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
17cea8f7f8005ade52ecaaf11d8ed740

SHA1
5216a6b953a041d28e184358bd7c55ab848a27ab

SHA256
394b72566d25fc12317b764189f216d95afa740a0d2e793b1537213c6497a94b

SHA512
d87985f5821dd34d7efdd85327653fdca62712567e58f7ee6e8bd4a585d6eafec4454c3199a177a0d204768bc96b14f6cd861910716d5d9f0ae2d336218cf8e1

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
775568f3bc1486f4ec8924223e5b8e46

SHA1
4c971cac5f21e7de9a1f8a7be0fbcfce46fb8390

SHA256
c66fa70cec6f763eb5c18d1fca527a22e9f128b59f74e4d6e0b68876c0ce7e70

SHA512
935c51142068b561aa3c96e5a89bf5c81db780eb6735f26d6b3918042abc6cd044688d1ccb6f5df8e46b6b1c16f34e2304d0e7ad766353bb86fb28b1fec24625

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c83df106f1376b908cc130270230e546

SHA1
cb4a3647fa764269aaf2d63b3942fa9013e91eb1

SHA256
39394a31473ff8d4f6bb6a587e70d529e97bdb6652d32c11f73879703c09d9dd

SHA512
18de16ddec871cea78b2abc5bc05de53f2a7fdadb31b4e4ff71b229522a26ddef97107e6da1dc01ddad0bb1f9078f7848cee36dfa208da6f24eb99c0f85809f1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
28ed9123c29f8cc1b4d6aa3016ea3931

SHA1
e4acca90ca926855139fd5ad35e4865366dfb09b

SHA256
2d1c12ed0543672e3d4179afb4e10ad80c8e054479c0200a3566e3418695a0f1

SHA512
b899f4143014395fee3d2f1d8fcee4b0a4146c9d2b8fc80aea87ba7d0e21aadaa3933d3dc5c97f1918115ecbf6d1d3e455d71c56c8fe5b4650d353b474ebceb8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
33c4c2419afbb52087e0467701100b01

SHA1
1350da88b3c99b640e745de31074ab29e38998e2

SHA256
990dd2e656366b6e44948c0491a716aca996bcb817f138056f6a7ad306516216

SHA512
361bdf55d4c2e8fa9cef74736f338e92921dd2f4626819ca9877921044e3d1ba85345fec30b14f9fbfc07b4d447707e2b7a340d729121f41a361c553fde9bed7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
294af1112e90bb99c8d7c375de941e21

SHA1
ad62e5c104fcb919ee998a2d74cd7145198f74b8

SHA256
efde4cb7bbd1954fbe1201ec12bbc862c2246e9a2442338f56e9d15e00019977

SHA512
9279a9ac1271650ac06f7630c590dfc169915ce819782db325e967af564225c62260c542856e5a0e794fbe584d04c5c6c9e1204965ab301b1e7e31dd6fc48204

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d407521b16c18b11b624368a9a44a841

SHA1
66e071caadfd01b495a86199b47327e19121171e

SHA256
6f54ad204fbbed323d9346ea67ee776c29d08895d1669aba6863147a52f318d0

SHA512
88a2665657994db05deee1bee6ce90c64adb82178a0b212b745cdca0dfecdb136a9d7f864fd9f4b56cddaae022fac9226b8aaf9b612773573e4045a14e939193

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d88c7cfa238b81bcb0e751df7fd4f87d

SHA1
ac362c6952ab90a21701922abdae2ab1945c7d7c

SHA256
b692de702e2a87470abf7fe90004c59d2d649f6b87c7e76ffa228fe278ec662d

SHA512
9673766a2355b86da1c4d8b9e3b920840ab70fad4116ffe10d9d61ea6d2d1f17a1e1fd37c00a00e8b9cbde0b39b8a5a2aea920c8e3b8908ba861f6f31bdfdf23

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
820d59bda6df73be5bb2c02829ad4348

SHA1
dc8ee5ed9bee295e02edd84a7fc16d11c2b33b4d

SHA256
6b9f3072e073a22af23c667fc812709fd72fad6d672401f084ded7a6a2b2ea72

SHA512
934cfeda9c1c5e086b5d1266c3c81fb9f36e7586f695e0f8fded220d696e2f2996cd199531508b4ae7eec972cccf4ca2379d3251d85a64b17e4a3c52fad9b768

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
\??\pipe\crashpad_2768_VBRVRNTNKZOYQZGU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/392-284-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/668-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/668-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/668-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1004-542-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1004-235-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1016-18-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/1016-159-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1016-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1016-12-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/1228-198-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1528-262-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1528-258-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2544-80-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2544-82-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2544-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2544-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2544-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2576-9-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2576-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2576-24-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2576-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2576-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2628-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2628-515-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2804-76-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2804-69-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2804-149-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2804-70-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3068-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3068-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3068-37-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3068-166-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3364-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3364-719-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3536-95-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3536-116-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3536-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3696-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3696-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3728-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3728-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3996-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4268-555-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4268-247-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4836-264-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4836-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4896-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4896-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4896-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4896-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4944-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4944-308-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5080-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5156-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5156-606-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5192-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5192-657-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5308-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5308-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5420-297-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5420-668-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5516-669-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5516-309-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5764-670-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5764-322-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5912-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download