d7a8a6c4ee7953612e54be09443f994bd813cca2e4094a5ef575e297f0ef24b5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
Size

5.5MB
MD5

d8698a3641d2e29717682d4ac4092dac
SHA1

6e47a761e101cfa1a33469d7bd65b5c0e969ae24
SHA256

d7a8a6c4ee7953612e54be09443f994bd813cca2e4094a5ef575e297f0ef24b5
SHA512

09da39c2772a02e07d8f113823d583b2b6460aa36b41c53c04902ab72357537b0de2d83596ec35f77f2ab97ec385ac4e456e4d23299da7502e6d21e36299639d
SSDEEP

49152:gEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfR:uAI5pAdVJn9tbnR1VgBVmllI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1704	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
5076	fxssvc.exe
4396	elevation_service.exe
4528	elevation_service.exe
3288	maintenanceservice.exe
3608	msdtc.exe
1536	OSE.EXE
4640	PerceptionSimulationService.exe
3984	perfhost.exe
3672	locator.exe
4032	SensorDataService.exe
1172	snmptrap.exe
1104	spectrum.exe
5096	ssh-agent.exe
4836	TieringEngineService.exe
2796	AgentService.exe
452	vds.exe
552	vssvc.exe
3252	wbengine.exe
5196	WmiApSrv.exe
5280	SearchIndexer.exe
5956	chrmstp.exe
6000	chrmstp.exe
5312	chrmstp.exe
1732	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b76d8cfbb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000757c428805aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007a4a38605aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fb7978605aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000915ade8705aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000609d1f8705aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca7b9c8605aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

820 chrome.exe
820 chrome.exe
6252 chrome.exe
6252 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

820 chrome.exe
820 chrome.exe
820 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
820	chrome.exe
820	chrome.exe
6252	chrome.exe
6252	chrome.exe

pid	process
664
664

pid	process
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4976	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
Token: SeTakeOwnershipPrivilege	5052	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
Token: SeAuditPrivilege	5076	fxssvc.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeRestorePrivilege	4836	TieringEngineService.exe
Token: SeManageVolumePrivilege	4836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2796	AgentService.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeBackupPrivilege	552	vssvc.exe
Token: SeRestorePrivilege	552	vssvc.exe
Token: SeAuditPrivilege	552	vssvc.exe
Token: SeBackupPrivilege	3252	wbengine.exe
Token: SeRestorePrivilege	3252	wbengine.exe
Token: SeSecurityPrivilege	3252	wbengine.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: 33	5280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5280	SearchIndexer.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

820 chrome.exe
820 chrome.exe
820 chrome.exe
5312 chrmstp.exe

pid	process
820	chrome.exe
820	chrome.exe
820	chrome.exe
5312	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exechrome.exe

description	pid	process	target process
PID 4976 wrote to memory of 5052	4976	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
PID 4976 wrote to memory of 5052	4976	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
PID 4976 wrote to memory of 820	4976	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe	chrome.exe
PID 4976 wrote to memory of 820	4976	2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe	chrome.exe
PID 820 wrote to memory of 1724	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1724	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3564	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3444	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3444	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4452	820	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8698a3641d2e29717682d4ac4092dac_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2745ab58,0x7ffc2745ab68,0x7ffc2745ab78
3⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:2
3⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2688 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:1
3⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2696 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:1
3⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:1
3⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:5644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:8
3⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2380 --field-trial-handle=1940,i,4728384598424072094,18435972744801248777,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3288

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2696

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5604

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b2b9ca1bf69fb2f31507553ac0d3f99a

SHA1
8d71474d860607399f66997eaf9678af15f733c2

SHA256
dfcfec1e51e5ad7bd9053d2e737734999bdb26bf63067cdeaa5886d224f73921

SHA512
ffe5da40c781a0109cdf6fb7bc967df93d869626615213c0409df621aa6a0fa3c76fd08c922aabbfac745ec96b0c9916ffc18be282bc8a5d4546d250152a4d47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
d1d1f27b3fb1251a73f3ad6f1c455e42

SHA1
cb083fc98ad5fa3473ffff105a88b13023e8cbb3

SHA256
b3f63c011cc173ce118e35bc6b34ac23fa788847c09b0941a113b800dcd24437

SHA512
3957adad87a5d9b4990620b09285f49ea37b2be05a80a76606825503504b8b9f331045a3ab37708a7276724c7a85bf969c8a0c0ad59c94d1b4c1bca7fe92fe2a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
c278e8ce64aa9d1b9907b4fa481749a7

SHA1
14ba5f47ae45b1921847bba290de7796fc759b87

SHA256
287aa496cb1f5e5b7949833f4a8a35d5ca2b3f74aadd6910223fe8ca6cbcf360

SHA512
5c8128d4813fd26d3f0d31e4eed168ed2af94e0312e4b632081e6f20102659f76e0afa070b6d9bc6215454b0a3af333b52f356bd4a3f0e59ff3795af29e1b8b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4f027eb92e70852920fa1cccd229e809

SHA1
9753d8d5837395a3610dc6039885da1246324b6f

SHA256
a96af2ad26a37ebc7151417fca295bb20d9f15e58fbb0245e5dc218984b657b9

SHA512
f44cc359a7fc563d4878b23dbdc925e553bc1264d04980b8a8de6e9ab33fb7c1147ed8aeb6f316b2e45523c367b7e653e50574eba8978cc2d22adee051dfc2a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5fa43b26968d3cf9a0ab1f3f0d3a6efa

SHA1
22a388910f3a28c0ac4485bf5fc1ec17f281c365

SHA256
dca077fb0a1a1c8e6913c83cddbd7bab51f56a7f64310606554e169947dc8063

SHA512
4656c0d0c665f63f29d957729ddf5b3f2e7362cf4f90fe66b33fea8a0f89378153331e2b37af8f2da6279ddc6a3beb5f27a66629cc99d7834c3c85ad628f78c8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a7af8392-f795-4c13-ac57-b611f3b055d4.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
22dafa8582baa04ef13a22fe1ee84af5

SHA1
ce815e96ebd27b0dc8fad3d7deb899c8e99c9707

SHA256
ebb2893eb23e3dd6d44bec5c41b7ba2e4b0701b2e8aff7c2ad925ff6dca88f06

SHA512
d718b841a7612a443b6759c69cdf69be92b17cbc2642f93dbf65299b9fadb0a7018304b8d285780341dc652021fd000d582ce75c22f0468e09cf6db37b350fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
da78a5b9a432360e241b510150f98296

SHA1
607fad2ded13f17dd0005c3cb0849b0e4cc3fea9

SHA256
fcb5ce21d975f12e911b41f59ce9cde3aff02acbad65f4a43d966feb8ecbc6e1

SHA512
f18c98fb4b88cba48d67a080ab5e8844b3ee8334374bf1051b3b358a08d726dbf79318546b987211421901ae7d50fc4305c1d4a80db89f830810209a9de6547e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
27d572252dcbb0de5225ba3535d61cbc

SHA1
a8e744394e76322c73bd6b34c7bd003344e3dbe4

SHA256
e254db73b458c765f51a9e880b0cf9b5f1acdb7cfaafebf871ba1fdfadbe557e

SHA512
33f06dd50d0e6ea4403966e52a67e8ef78c6d1572c8b6e6742677386989ac81065cb322f17ffc6e6c5727f7c3dc8506adff70ee875be792174b9d9428f68583d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577678.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ed99f321f13dbdfd27bdc7d746a084c8

SHA1
a378b49bb36ccae9c0029904c3c429dc18dd9004

SHA256
65eead5968802fe39d0010920fc4fa15ff90776cb065880c46cf4f4c11f92950

SHA512
a66188507ab1757d5ca60ca7e0a0075258fb72c1abf9f54f756d8504e754255584cf9d41ee3d95e583965f4f29fef3faabad5bee19996606c081e7188ea3b644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
413086397bceba883cf3f78f69769623

SHA1
3a41184bf595295c95020a2a444c3a304f5f8d5c

SHA256
0c2b2d3d77e87fca6b7c1bb151fc84f7add1039a65fb044ad07c9d160ad37183

SHA512
b882b64bf924e904ec76f63ea10b79e0f6f36948561c2a5843af75962bded11cfeeed671a5f33e43f7e847cce9d5e92a6296d09506adc16723d0666c3c805712

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
56ff205ee0110234e89cb31d10b73b49

SHA1
b556f038ee1e44614d030cb20a4d9afe59e7c4c4

SHA256
17246e765612aa158c0add93fd20db54bf152141bb98b07fbabaffa8c956550c

SHA512
4aa1f1ffa87065a4e2b040e7bdf327cb3aa543e03e2ecd5b76126986371dd5253cdf3331c92ec9bdd4de58f6d88296ec0ca40801e8a37689ae6b1bc1bad39bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
cf1a152bb250b6d18c726f276f5434e7

SHA1
f54ace793918e1094788fcb61d9fc9f94559e244

SHA256
93a6ac5bad96717f9d1f3852599b9801d6d27b85209895fa23cc0206c09bf2e1

SHA512
be4bf2e5eda05a65f0a1ffb1dbc16d56b992a0c806d36acdf1dfb73846fad939d0b54fd8604a7f697807975998cebfebdf1d2ada000dcda17d3e428706e4ba9a

Download Submit
C:\Users\Admin\AppData\Roaming\b76d8cfbb4b1389a.bin
Filesize
12KB

MD5
9c91db4806214fb3c9bf4ab9d4f8284f

SHA1
82e5e19843c227a6d720d77c2859bff1dbb2b0c8

SHA256
1be4778bf7e22b9fd1bad99bfb0e44c3427d0f46a77bf80b7f95bfdd3e21c155

SHA512
93c7c1969103cdc9fd18578ab079e6df15ff46344f4c6fc726f687e57c4db98b575d0a8c00fef6bbda9edb1545897de998611d2c5625a03528c81da3af528692

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
36577cfa482762cc41064852e6e92030

SHA1
83f66cafdaa20e0f49f1b6d46bea13e4f1525e2b

SHA256
4d559f813f19c700cee37a9ecfb46d9623fb560a5e2a8e3c948d93a24bada158

SHA512
218bdb7d1debec9e44929ff2eb8e39c9cf2726e4753a6dc23cd780143d7d5071b771b58715deaea831713873a175bee43845dc6e9a8d071dd5ef6030523fac52

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ead329c188cc157f3f5257fbd74f2728

SHA1
f1430dcfcf7cc43e60a82c8dca101bc1f7cc6a55

SHA256
179806a0a4922bb0f4c667db69c39392faf55393d17b6974e89d1181976265db

SHA512
0deef7e1c04662fee3fbd54e2e751b86abe7c08738ce7e198a47b22870f13afb0e1f7ea2ef7e486b37ba5701bebfe5ddc24c6cf1de92e01d9a82adc49f2c7d7e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
a8d5e2892541e6471633146377bd08f7

SHA1
e63d6b99656cc20eba253f8489947e068261fa8a

SHA256
fae4f429320168961b8b2021da0b024e7b2eb1db0e91da541dad8969ff426547

SHA512
ac3c08b6794635c1725bed79509a4f3a70786fd496a62c36c2ae71c46b72fdc3a863202ccebd38941040ea941f174d30879bc95548c753639949318bdcc027b4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1483219dc44870afe14bd542daef9c1d

SHA1
f71a7e851b05c2b6844f064b5e503309e0ad80e2

SHA256
3f6148d770aa76f8e9546e4033e50372b48ce7b44984f4f95c4216755967ca83

SHA512
d6da00cb711db538d16da039349c176916c25b89804d2d0a8d31add9e4b49589bb850af5c6f0a0b937e9f4bf689b3f6370fb7955307b20dacb5a7b8e79470e4a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d3b33f836fa13ffd93be246c3b34789f

SHA1
791342603f2ec6760e0b74e4f6c4ead2d4088324

SHA256
b4769c25affdb2a8c0c3ddd1c8e78af57e5ad19e9b393f255ddc2cc939cc0149

SHA512
35894481ae0721327a881dccb21e7c6df629005462ee969a07396bf9a6f357981ed16e784de1d8c3af94259e9af8a1de15c29c00448156e20a38a31a8d402687

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
0c9ad9f5ecacac9b6489750a59ff772a

SHA1
74692adc545f83a7e05a19db8224e68cd1fcf990

SHA256
4afdf7642224966563d81164e99d158352b165065a3fa0f9f8f7e273991762ab

SHA512
29bc82f91687320e51474dfc79704bad69341a938c10edc3e672031b9c1de05bfca8d7ae5468b26d88b944331519cccb0976b3de26a69dde955c795de1528665

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
9773c51d9e68e90415121b7bddc1c4ec

SHA1
6be1802d5de259fa66ed7b932f7df4b103e5be96

SHA256
88a11e293019cd08dbb910221cb7f0c2827b6cf74702b092ede10b9247bb4fff

SHA512
f5981e517c14a0d8e0ba31acf6f20a76183ab3b038f1569f41c322b13a62eab3a1c098a11901055c22138495354c196757b1808bfb8130199e3958113c810506

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
9e80ad9a44e340c7b4a6caf10c8b9855

SHA1
df95f76ab7639e47912c1f9460b8bf42a9373b4a

SHA256
429978f6670230b1998da628129acd76092c5c7fc5063b238e0d8627bcf21d29

SHA512
9ec82988e2aa6370a226a43482bfd6196712bcdc99e08919a5f23b9168e1e95ebf7379146d6e90dff07bc649b6022b650864ed9e16c8a863e30de4e0f584f0dd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d7b8ef1aa7a1a816ec7edcf7619dac7a

SHA1
61a802f8286dfe64636ce0b2a4e33ad3908efd72

SHA256
720872c1d1e5a029c63f58335691c830a49cf059aae14d861e8a34ffc34adcd4

SHA512
d1463617b5090399bdc0c01db8cc53c1cc444ac020bf11cbd3a84528f9466bff570f75e958d177aca0a8c580b48db843880a90222d2e2dee2692d3f698a0b750

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e81a3af065463cdcf317906182a40032

SHA1
05369fafe9e0cada4ae135a7af9cfaaf691a046b

SHA256
33ab49a737613c516a96a446d4a8c135d967d9ca3718a8f7ba6819f8ca716679

SHA512
4561fcb6f2d04bddb362bad16d6ba1bb5cabd65742cff5555389de17092f8e53b3a9d0ef801b30df700166ba0cb7a03b621870bf2c6645320eaa463642b7ab62

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5c383f3d7c702efaa5ab195b08ac2375

SHA1
92041dc3964c3fe5297d1093e597e493601e2659

SHA256
d287b4614c34b56d6879075730769e963a28d2dd5783cfd01c337c03345674ab

SHA512
ac6dd4eb91453a805f3172bf98cbc900d76eed501fd7ac937ac6f7ab76824fe2ffcc97a54ec7f69bccdbce175b2f1a7b3953e7940836494a845499b1146a3667

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
814a42544d4cc92408afa049eb3ac7e9

SHA1
fafeb9e03365e7baba429185da572259ac6e2098

SHA256
f46109c88859474d8e47a6841b7893d63a4aa9143acdba8b28823ee3bd3be447

SHA512
8f8b795bfe5dee5c2943f3fec5a3c8da752b7825651cc04a2906f44b90d2e9ccccf125a21b212676f95be4f2210e6eafa8af81546d43a33cedfc5753ce27696c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
90ab6ee93a0385b60485bcf5ce2b1842

SHA1
310191f79503a3a084670a5f64e772f43bf7677f

SHA256
b2786b8bfde32c73594f3712b36b92802e8d305cac09924246244edbf4f2ee7a

SHA512
5e33725bf66dcbf0f2e58d44d13534092c4efaf9182a19fc93ad9411ed55367f1a7b744478ce76387b70839c952be9d6876396bf3236f7ad652d2b1348d8cbc6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a48fba17428108cfbd008f6724d5fb1c

SHA1
9d63dabb556fd512a2022792304998170c2dd4d1

SHA256
061af70daf2b2a62bd78b1c0c730eb0cf184286eec04c0548f1f60c205324c34

SHA512
975a3cedfe2f0a3e929d69960c0ffe946fae95f7fb21bcdf450cd1d5f5796e9d3dddf9d3b7744dff8016a620563598cba099ae9310846959250d6eb5340f0dac

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
84b9b62ee24df8137a890f0d2ae5d0aa

SHA1
12f67d9c9e0fff280997bb9b515b58fc98a4b225

SHA256
1ea5907052961dab9313bb985af19bc8355d7aacb8787e5d5bb8d38f9de7d09c

SHA512
0a56e85c2c5a77044c484e529c6b995c5af5a784646cc8768b7d46ca37a30bb7918995e5836386774ca25123a4ed90b54a557cc89dea928fe9718d11e8dac579

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9429f9d5442dcc054d10ad0495f0b513

SHA1
1df1e779011c3d3d062f8f7795594c1cedc49959

SHA256
31fc15ec64090031e0b127b37240a7ad1b8358f9027792bc7ce62c66d9e6340c

SHA512
f272f246efe04445ce2841c061f2086b8e275362723b32855bdb5bc3abc5386264e96cd3db7534fca11452475503e3e8820bc7de33584ea87744009ec784de7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
334e4ade968f3bf20220be102de984f6

SHA1
b300fdbb4e9243339df9ae4da3525494817428da

SHA256
80cec697cd55bde4035050ad56d50dd824415f7ad37bffee53e147b42f14fab6

SHA512
0ab348d8026bce1fa637b84e54ca26bfc73b61d0b287cab8922661296bcc1de330528ef13eefec6cdae5d9b43588edbf471267b5e946d95766e44726918a830c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6a073ccce83d8903c8570e9213998e32

SHA1
1ca66431044fc85ed36e61951c3f8b7393eac2ce

SHA256
19fa5c39d380f93d4f8f100236fa531fc74feebad61ac549e3b60951cc289579

SHA512
fc0bad6e9bec64db618ff59643a2fe30ad2cac7a4149665f1aeaa6a60bb8750f2e784ebbc5fc5d74229e13ced25d82b429039c16018c1bd5309e1c12e7221829

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
\??\pipe\crashpad_820_FCMXYTLYXFBPQOFM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/452-634-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/452-267-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/552-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/552-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1104-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1104-572-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1172-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1172-561-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1536-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1536-317-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1704-37-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1704-28-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1704-36-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1704-199-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1732-822-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1732-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2796-253-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-290-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3252-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3288-123-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3288-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3288-110-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3608-147-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3672-184-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-524-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3984-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4032-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-538-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-43-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4052-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4052-54-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4396-75-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4396-81-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4396-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4396-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4528-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-103-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-277-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4640-165-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4836-628-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4836-252-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4976-6-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4976-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4976-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4976-26-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4976-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5052-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5052-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5052-183-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5052-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5076-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-59-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5076-93-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5076-66-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5076-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-223-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5096-573-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5196-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5196-318-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5280-319-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5280-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5312-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5312-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5956-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5956-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6000-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6000-821-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download