57ecf4ed0b1c8cf158c2c9c2f04047d81bb3beb127de4ef821aa01fb67b17011

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
Size

5.5MB
MD5

daa09e25077a5975b17e51ebc96bd57a
SHA1

7e896bbc6ba20ca537d630aaddae64f45e9266a2
SHA256

57ecf4ed0b1c8cf158c2c9c2f04047d81bb3beb127de4ef821aa01fb67b17011
SHA512

edf27a7a502b74baf2e96e20171a6c09d4444d4fb7a31940d509b5fe6b557181792d6229495e6382cc2c1c6cc7b266dd80ac17d3eb3986a3f0791b10961e124f
SSDEEP

49152:QEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:+AI5pAdVJn9tbnR1VgBVmCUtq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1280	alg.exe
4188	DiagnosticsHub.StandardCollector.Service.exe
3224	fxssvc.exe
2092	elevation_service.exe
776	elevation_service.exe
4548	maintenanceservice.exe
2756	msdtc.exe
1188	OSE.EXE
2316	PerceptionSimulationService.exe
4000	perfhost.exe
2612	locator.exe
3512	SensorDataService.exe
368	snmptrap.exe
1096	spectrum.exe
636	ssh-agent.exe
1868	TieringEngineService.exe
4868	AgentService.exe
2312	vds.exe
1504	vssvc.exe
1872	wbengine.exe
3572	WmiApSrv.exe
4084	SearchIndexer.exe
5996	chrmstp.exe
6080	chrmstp.exe
640	chrmstp.exe
5808	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exe2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e5a03695b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exechrome.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ac4d33418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed61d13418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091a5123418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610557748593529"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef38e93418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f16853418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015ef7d3418aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010ba063418aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4836 chrome.exe
4836 chrome.exe
5552 chrome.exe
5552 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4836 chrome.exe
4836 chrome.exe
4836 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
4836	chrome.exe
4836	chrome.exe
5552	chrome.exe
5552	chrome.exe

pid	process
656
656

pid	process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3244	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
Token: SeTakeOwnershipPrivilege	3416	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
Token: SeAuditPrivilege	3224	fxssvc.exe
Token: SeRestorePrivilege	1868	TieringEngineService.exe
Token: SeManageVolumePrivilege	1868	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4868	AgentService.exe
Token: SeBackupPrivilege	1504	vssvc.exe
Token: SeRestorePrivilege	1504	vssvc.exe
Token: SeAuditPrivilege	1504	vssvc.exe
Token: SeBackupPrivilege	1872	wbengine.exe
Token: SeRestorePrivilege	1872	wbengine.exe
Token: SeSecurityPrivilege	1872	wbengine.exe
Token: 33	4084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4836 chrome.exe
4836 chrome.exe
4836 chrome.exe
640 chrmstp.exe

pid	process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
640	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exechrome.exe

description	pid	process	target process
PID 3244 wrote to memory of 3416	3244	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
PID 3244 wrote to memory of 3416	3244	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
PID 3244 wrote to memory of 4836	3244	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe	chrome.exe
PID 3244 wrote to memory of 4836	3244	2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe	chrome.exe
PID 4836 wrote to memory of 388	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 388	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3288	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3256	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 3256	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4800	4836	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_daa09e25077a5975b17e51ebc96bd57a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffa7447ab58,0x7ffa7447ab68,0x7ffa7447ab78
3⤵
PID:388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:2
3⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:1
3⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:1
3⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:1
3⤵
PID:5604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:5748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:5772

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:8
3⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1912,i,3771880557755425492,10062571987976400018,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3512

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4628

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
27fb84f99887957b3ed577b9659c0b6a

SHA1
dbf147560e017d490d6b2bed7d08c61202e6e591

SHA256
10dce4877ad13fb16f69a70f4f23193d583dc96e92b2959124a23489ec28cd36

SHA512
8ef2e463a75ba5ad922ffdf009367d4c24ee754b8e35462f90bc8bb4a7cbc5aa826ac410b6925dd79c0cf941b2085368ba1a5268416e1340314af245a66b69a7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
906e78e6bb1bfc30a9f70951c37b08bc

SHA1
da494409bc2553491ac7e1aa5d30ff7a0a8907e0

SHA256
c020b1e9afd8c0cec132d2c40dff0437567613463c2f504ea7df76f5e688a19e

SHA512
116a8780539811dec4f29249d8450cc1cb07d7443446427c44e353760066196062cffa32da20a1f8d8d0f84eaec908dd49288f95e1901836389c6e251c8a2164

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
2812a8413eddac381d64806c43ef09d6

SHA1
f1c912720e943e386d062274e4bdb982b1ddcd4d

SHA256
c14aef7e251a4bb1102464621e5f2555cf135915db944017a433767e431e33db

SHA512
dfc9cb3710d04896ee786001588199d78536576b3c12c703ceb8090693c19678750d787e1a90a6bd383a69f4b93e58a85f40c3a3068c796f110d8f5b361c0f20

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c47eb5089e7cf0fdda3e9e2619670c3a

SHA1
4ea16ddd5eb55fb7681a85a179c3090c3c9a1fcb

SHA256
efa5a8241a9aef968aa30c7ff084df2f58b72085a9be5fc766f1f5105452a8f9

SHA512
f7e53244373005c88e654e81416e567b1f29c0013aafde3baa3d4dc9c32ec6974270af587890c1499fccf1809e0b7f5ced3eded29296b2b086c1e663edbeb3cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
2573beb697a634438a3cb5bea28c2be7

SHA1
599c00e87f2df0ef2a2deaab6ee8447388ffb0c6

SHA256
9ac108450e43d51b84de55e239d54ca3e9528365811f7b8bff08399aabc42b9c

SHA512
fb3dbb4b5322845ad858c85236b54e462d1aaaa42951815233cdf853267a3d47bdba73047ff9ae0a8357175d8de80b982b48d0276b3f1b2e89fbad7cb2edb24d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\5ff3783d-35f2-4861-8db0-53b288df9e44.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
be9974d49a7269f43fcf7d1471d5a514

SHA1
fc34957b4646d38ae1dc86d5178b002b2ea4e05f

SHA256
95f509b15b8fbd83f48224b680b76aa504efd055414bc81c6715f4fc8c59ea0b

SHA512
ff679c9bae69e1961e07a0670d13f3067d0e3e55eb3e82d2a922ffb13be5b3246e2cb1740aba70b0d13895a689ee3f6541edf3ea732ea030b6e1627a6a6cbded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
a2f080912582cfe15b01ecb6c0abef48

SHA1
f075c79691fe084a6d7d4bd6627e17874ae0e46c

SHA256
e2a74684b36f3e9285eca1fbb7af2c2fbfe20e31bffa09d5cfd869087e8e07a1

SHA512
5581b8ea50e5041d420742380c580dab6e8aaf082de7deb5bf62faad9a4784adf93799b04f16748c303e836057e54d8a8d1ba8fb571399bdaab66a3e9b4b9393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ee1c806eb8ba66562b6622eb678b13c9

SHA1
59d4b5495738f04c692d39663f612b160a2da161

SHA256
616eb8d721bc43b45a00ccf11c6f6282a2698c53c7e8da62f50e0a3dfcb9dec7

SHA512
06b9652dba2474815d27f3829d4660226addfce76d2eb5146d56479182ebd7c2731c6ebae246adabb11f8513fae13eddd4b4f15632410be57ea656285d2e2d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577772.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e361407b-8a37-4a00-b3a7-dc4401df6a08.tmp
Filesize
16KB

MD5
60d8d96fa8d80dfe9d7fa3fd83874ff3

SHA1
763c2b651433ea1efe2af903ee2d7ff376259e2c

SHA256
480e88aad26c1104efb61487a7720a90797697f7b13ef33cfff5b3cb99891eb0

SHA512
b82f8f155e5286df5ac83c9edd34f889d3cb76e19760aa0c5f0399da133afde2437fca10f0282af656e46b77bd719588d227b4b0177c745e0c47c8571f1bff1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
3ab4509e5e7088e3c2d418a75c526411

SHA1
4488b98214b07fffb6909782798ab65fb792abd8

SHA256
f46771fb32d4dd3c96da63a37abdb6a3dbab64a6c77f109a203051c353f578da

SHA512
a3bf65310a546494f1ec522317fe2ba226428e923fe0a72aa17e3e2252d07b742dd49c6bb8365a00404c2c52d1afe1684a7de87bc40a78b33fedba24a8637e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
e10d14a316e3927c5617741be1d90bc3

SHA1
c8af5fae5483bf63ff667268d8bd23eefe627f81

SHA256
baf5ee8b5cde4439392442d3847eae8f7b9e1a52ec67d0633083353b245deb29

SHA512
19bf277dec812fb7691d5c4f71d014f5f8e7b0f0bbd734fe0382e1e137b2151d3931ef53816c7309781bda17982a4afa5c9cffe6e9f45eed5c90df8bcdd79409

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
810d2a28ede533525b5341b5f07881a7

SHA1
3646eb573a8b0a00958b8389aa3e0de782165d00

SHA256
dd7e22acfbf16b3037dc5a6f4a91c690a1927345e8c5233ec398e19c05fa5982

SHA512
483441e18c5203713601dc838412828e8db0035e89da67718e70426632cc6e987ac4a1983cc4de756dfc2e503ef07cab1898f2c6c6234ce6db53a7c989f908f3

Download Submit
C:\Users\Admin\AppData\Roaming\e5a03695b4b1389a.bin
Filesize
12KB

MD5
1e7ca73ab50c3d4df2d5b76eca7ecaf6

SHA1
4ec2005ab0a002640f9395837d37af657ea4018a

SHA256
32de5cf066980fb18d0c5038010fc74e5ac2a1977aa9dbd04dee1c627d4bca6c

SHA512
9253a05420c6877773c0f34110d3d86cb4ff458b8755796ef332d2030f1914268d2b6d258f1e410244e2f309f165fbe602f556f3c1069dbc2ec514d9045e3dd5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
960a41dbdc713afe3f52305b7e639b9d

SHA1
b04afc39c535aa8be7159a5db948d767d439e54e

SHA256
e496d9e7efe55bf6199b87c9550f9c8a69287ed47daad30f464140ed0b32b649

SHA512
7bd43f26d751cf89fc32d31884924dc8a0ecab7e4bf324b1542df5fab4e533ce4b49f1b83080bbca9083967833ef644362f467af8d500ae1d7d412be484e2e4f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
be489a91d0ac10a31b7240b8560d67b0

SHA1
60141c01cec37a7d167cef493d817e394e8c49d6

SHA256
ee5eab95d24d189efefea19a40e2c8f13693e9826929df287c9397417e8549f0

SHA512
70cc27cc76e83f509283eaf49b487cdc7c1506d56a68cb94ac9b1c3c8b65c1a83f5b2882a441cc7bc7418f00c8fc128e77ce0eac5b0b25109cce406a4b9858cc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
30b4717e8acd674dd689a0bd7b322f76

SHA1
13251463b1fc22ccff60cc3c4072529177ead642

SHA256
abc9a8b20bf110cd3cd3cb95580ec5025b536e8c39d2aa98322e592c443e7a39

SHA512
73ec5b832b7e0cd008c296bc64872d05688c4e4c1555ab61cf1df26c945f0291549a284832659fa75881a6064b17d8c6ee83300cf79e1690f444e1f7e32cbbd3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
3df8827ab861b5da88868e0f376ff80d

SHA1
0ed49480c73900538071bc8a3d2be7905d46981b

SHA256
6b2ab931b50b073f173789308f773f09b90e7e3774d531de83e0055aadb3b56a

SHA512
851d848faacc95fc6bda0d537f457bfc520dd6ed1103198f49292163e20491bb1fc005c95d0c3c419429727fb8f99ef3cce6c96ce5a1ab8d8e0488b09320eb52

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
bec0052b1cd7d56e2ea52910a0cd0fe7

SHA1
c90b177b6a450b75fd20c44df11b80db8dc2da3a

SHA256
d834b91f3db0afaab09fe5dd18e543f0a375eb9b2161f9ed27a48d33bc91df5c

SHA512
53882576a851d525fa364f446ccf8380757a166cc80d5c9925decc586c77b0593670792403310da4bad56e2f7daa5b6515aa7f87df3aad4bd087eb7d14fbf87e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
33f8f05bdc8f59b232960453ed94bbf2

SHA1
8e87e36f9b62787051eba819829f5133f97981f9

SHA256
5ad3d701f9830e7683a121cf951660da25cc60693fd62cccb09c21c183c54cd7

SHA512
2b74355bfe5b53f5608cc6e9d4ce2dd3a6bedd140767499cd68d0707183efbd7ffe7ab08d340088a5a5dab603666355e9498d162aee54e8b290dd1560c808954

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
243626731077253b92642806e3228b35

SHA1
af7b402ccd2516f880b62215611acf2f6b569268

SHA256
425066c973fed1537d20ed3b0bf2f27d609dc3a17c345da3e15b41bcfd065097

SHA512
15151d830631a6db6ef8e3f9fe66f5cc1a409b168ac6f235022c6080715623ad8339ca3e394e8e1a509aa534358f483da441d1f6b27758e3ee74707a40566054

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
68fecbb3a5fc06e502b763467a98bdd7

SHA1
ff00e3c36844a71f51c6568d91150c2de82cb7f5

SHA256
1ad39f3d67013b81b2c660f9dfbe5b04a7320d7cd6b223171fd8814401c4c497

SHA512
8bf975da5b4658ba66943608f23e83a7c954b495f7f4e66f7d2e9d8195b22e0836a642c2cfb7c1d890324c3ce7fbb9bfbc4da2cedfdecd269fa8b299f3719d8c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9437614201bd8508cf095b50912dc138

SHA1
0afd3e07c5743ffd746f74b89cd55c2738173bd1

SHA256
d37b8f4d615b8452b54409b6362817b1840d01b70c87fd5d690908042bab4f32

SHA512
07f93a6d9a9458d8708407828100d55844052c9a2f552cc4da8c972d118215635133efef66491be43b3d027e4e0481325c68791ef0a7e254d9acf4332e2b5620

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8aed0313f3080c9d073692ef46e4b50b

SHA1
1dba2f06b2e0fc04e958e8467cc895543b9747e3

SHA256
a10e0968cc68fcd4b86a46ab857990133e182da5a9c38a465c58b43f67f89072

SHA512
55172f2291b9f9b12ee20c01a6c24eda9cae7a38080891a52a787d8f1f4290d67e73f19bc23a77625576ae137efbf88e5dcc32c34b92bcdde6a08344ec47f82d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
99a3c898e2314ef97baa93afb945cb3a

SHA1
3e3a956b54b16f524f5f5d29f05880f8b1a0f793

SHA256
112b11da0e6566b7affd3dec227b1479da80410ec6657a69e2ffade2b7982997

SHA512
ee57eb8dcf8f2d74aced3a841abcad40c2b3a66abb0a09d3da8951c982a23d5cb9c60b6584093e5411ca0e74323a10db0298e03166974a4ffb46c47d84809c57

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6c6479e229bc593505688e774e82854f

SHA1
4f8a72d04cee5793518e7eaa13e394808bdd8a3e

SHA256
f0dcf687afb015edfd35bde69075875c592b7b5535fcc85cc09af07aa801f28f

SHA512
b73e7a9ddff67e7d536a208f39b107a855f512f57afa2d89a40da1becf8f83850b322ad51bb6512c5012298fec5d6ba2c0cadd7e2498e0c9630e962fada85d64

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
f0cff61f9d646d7e1216f5cbcb21df77

SHA1
dd5fe86cb4ef233380a4e1008e7158237d2d93b0

SHA256
e77425afc49324d996bbb7ee8e6b2b862560b88ca3904081a919537924ebe987

SHA512
f7d3558ec61426fdc9c1825967589d46e5dcceba811e25dfd2c15af07407301511e870e3d393b64f1c874d8ea5820cc7886778406866c726d935850077a89cd1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
eba15b91522508fa4ebb32f0a984c75f

SHA1
348af4da9ea659b72d9fb88356521a030b8bd97f

SHA256
4d203cd3d4d84987f2a3683862ec0b0f8b13a6b19e064ee14929566cad0b12ed

SHA512
88f5a594f64d76a239564a04dd3d53792ffa7068c93ae31d8b3ffe07e3073efb2ce226e11b6b3bca06ba551772d7a549aab007525aee3e17bbc6d73c91cc7893

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
0bd6ba8e7dcb972612026d8bac4f324f

SHA1
a4b70f9ac789993fb6f96dcc9998c22857b2d606

SHA256
0b3a1792e847abb533901a2e49ca8e9143c86c1653d646600772a0b3993f953b

SHA512
6fd9f48b5eb0dedc1d13fdbc024925009b456625d978304cf8b7431f56a60bc11921e7241611f016b8972d88736313803c6f55e07ab20637be22af679b522f4f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0433f0ba0134c74f75d8c69ab4c0d1f3

SHA1
ee43fd72053ba9453a4813f234ee33e93a11c3b7

SHA256
10ff178b5673a75b82f666c7090a84d10a5ac8a5bd425426ab3f92599bebab6f

SHA512
9e1ed1b94e1d37ccb604abcb9f7c9223326b68649cc6b4d7ec80ce221ad47c3ae93c2340a4ee0d0b439813420a224e18c693c7d18982ecda09c91ccdfe3fb712

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
a39933237980df2cb6715edcff59c802

SHA1
f85d9a5031693691c2080de33b072451d2bd721c

SHA256
428a5bc0594539ab63bc84168e6224e915ad2ccc5126ba0d6e4f063505ee48e9

SHA512
088cd8475fb135e0458cccccc8c2e366f43eec6b7f01287db7c8c55d4bad7c77f7f152502f6cf8ddcf41150def63b5a65361f4146f5fca6025d3ba7af0c05495

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7be48fb1ff78346ee084ff9d591bfbc5

SHA1
ab43b3bf90d070809bccb34d4d3ce55ac0bee910

SHA256
e3757f436487fcfec1233508c75b92e4e88b348cc9fa1e7880a31dc2493cc4a2

SHA512
29225193f50dd3febb30235a5ba338d8b67250eef1da97297f14f3b1c219b3257ed90bf39460c6079f4f677f97d802810274ebefb9c54ef5a1b1f6775b3b1920

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
\??\pipe\crashpad_4836_EJSUHPOUJSWOJCDS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-320-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/636-323-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/640-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/640-563-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/776-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/776-311-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/776-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/776-635-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1096-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1188-314-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1280-31-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1280-620-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1280-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1280-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1504-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1868-327-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1872-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2092-73-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2092-312-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2092-67-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2092-377-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2312-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2316-315-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2612-318-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2756-313-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3224-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3224-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3224-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3224-76-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3244-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3244-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3244-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3244-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3244-34-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3416-20-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/3416-619-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3416-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3416-11-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/3512-578-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3512-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-332-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3572-636-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/4000-316-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4084-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4188-54-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4188-53-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4188-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4548-90-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4548-102-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/4868-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5808-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5808-705-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5996-600-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5996-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-704-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download