70515f07ffd6a9b1f3c310b35ab5bfd27d10054aa3e8b32c5216d1b7083cdc6b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
Size

5.5MB
MD5

2a8948ed13ad6df4269722250b023473
SHA1

4ce634e8c35290e82882f168ff500729ae8df164
SHA256

70515f07ffd6a9b1f3c310b35ab5bfd27d10054aa3e8b32c5216d1b7083cdc6b
SHA512

307359c560c4582eefa6cddf10fb61e1c598ce41b468e9e003422bc0306a41e1de41d21500f53706e65fab9d2130b1fe1d25534275c999963f412773141177c1
SSDEEP

49152:1EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfU:pAI5pAdVJn9tbnR1VgBVmTTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4660	alg.exe
2680	DiagnosticsHub.StandardCollector.Service.exe
4600	fxssvc.exe
812	elevation_service.exe
3980	elevation_service.exe
4092	maintenanceservice.exe
3400	msdtc.exe
2492	OSE.EXE
668	PerceptionSimulationService.exe
4304	perfhost.exe
1300	locator.exe
4036	SensorDataService.exe
5112	snmptrap.exe
5040	spectrum.exe
340	ssh-agent.exe
2844	TieringEngineService.exe
3268	AgentService.exe
748	vds.exe
4252	vssvc.exe
3604	wbengine.exe
4108	WmiApSrv.exe
1412	SearchIndexer.exe
5392	chrmstp.exe
5440	chrmstp.exe
5924	chrmstp.exe
6028	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d26e11e61ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019a9dd4a1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316b204b1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb6715521caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b63154a1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a95e94a1caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d347f511caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a8b1c4a1caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000981c124b1caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e400e521caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd08d5511caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2664 chrome.exe
2664 chrome.exe
7016 chrome.exe
7016 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2664 chrome.exe
2664 chrome.exe
2664 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
2664	chrome.exe
2664	chrome.exe
7016	chrome.exe
7016	chrome.exe

pid	process
660
660

pid	process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exechrome.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	324	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
Token: SeTakeOwnershipPrivilege	4824	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
Token: SeAuditPrivilege	4600	fxssvc.exe
Token: SeRestorePrivilege	2844	TieringEngineService.exe
Token: SeManageVolumePrivilege	2844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3268	AgentService.exe
Token: SeBackupPrivilege	4252	vssvc.exe
Token: SeRestorePrivilege	4252	vssvc.exe
Token: SeAuditPrivilege	4252	vssvc.exe
Token: SeBackupPrivilege	3604	wbengine.exe
Token: SeRestorePrivilege	3604	wbengine.exe
Token: SeSecurityPrivilege	3604	wbengine.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: 33	1412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2664 chrome.exe
2664 chrome.exe
2664 chrome.exe
5924 chrmstp.exe

pid	process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
5924	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exechrome.exe

description	pid	process	target process
PID 324 wrote to memory of 4824	324	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
PID 324 wrote to memory of 4824	324	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
PID 324 wrote to memory of 2664	324	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe	chrome.exe
PID 324 wrote to memory of 2664	324	2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe	chrome.exe
PID 2664 wrote to memory of 2560	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 2560	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3964	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 2588	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 2588	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe
PID 2664 wrote to memory of 3464	2664	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_2a8948ed13ad6df4269722250b023473_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfb52ab58,0x7ffdfb52ab68,0x7ffdfb52ab78
3⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:2
3⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2724 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:1
3⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2728 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:1
3⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:1
3⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:5128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x74,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5924

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:8
3⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2448 --field-trial-handle=1920,i,821405759902130248,7321551944088437370,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1436

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b977158b40b2ded5079538957b0cd95d

SHA1
62f3d4022e04f4841b3fd17ce4056e1637cbed17

SHA256
e55337e50acfd47702a74e9a7ef4852252b34aa5eb3943fb6de648e3985bbe4d

SHA512
9e4a1e5f5fa662a35ae62151547f2a5a8fb2c960142047bdcd4020993519466ce7888a337f6987cd4ad41fd92fc8b009f30ff715e83a5db939fc4784be5415ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
12c6675a59a31bc705546fe94ff6b355

SHA1
6a3936de388f602cc56bf19d3721acb661e4c0d9

SHA256
1ca81feeeda51e4b37defb07841fbd8f4fef56af7b526ed915c472fd0869cb99

SHA512
993c8fae83ad9150d3e3d106732605c37decd87bef9dfef3c1c9474c4093ac9c1547b70daecdc9f4b0da74505d54d59ecf6b93f30cdbc09be6f5a845e0de1a46

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0e743f5a0cb33470bce948f156f85ba1

SHA1
1d5a447b9bda02b19b277997f19ccc3d951de074

SHA256
4d51c8cdda331bdd6dd08c4cff4a6955a2a83fc592bc018e5e4576f2e2b477b0

SHA512
76a0e595901d6da37cf35fc24a1d9e29c047d082e0f96a2fb7bac8c17a2a978efac0724ef29bb01639509bc1d552d9d57f2b2fe467ec71de38461211d9d2ad66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
751ff06bec2f907544ac019169847403

SHA1
a0256dbc758c8fbdfbcea80216682c6a5449b621

SHA256
bd0a6cde74adec665dafa1546a1f1b7ca05330843d4b555be944ca5e2dca0a76

SHA512
4195ecce0d5d71e920f32d504169310f5835aef03cc0978b5a6186f59b3132e7b708900f01b51c44b18a4cc9c079490568e9dbf6ad38d5d939fb2704ae8541f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
316427f5257e325f249c9de171f1d794

SHA1
26a1af82558135483dd17ec5103b5c59c178a21f

SHA256
f3a9b43558b5f485bbbb30ef9ce9f2a1e397155f0806b6d6de71b59aad136f16

SHA512
5d7dd599cc920a8727e52ccb82e1503e562f7585eb819d8bb681ae9e52079e363b587d02e3f73175c1ae902ffec40cbf7c1a1afe2c5622e248fd30a6af7e6fdd

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\7377adc8-d0e5-40e5-bac7-54414a11027d.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
cd7d8b24d1ceb624a7215e61826a02a0

SHA1
b35e8db5f39f28a5d0983620559b746417c7db79

SHA256
2ee4011775cdddd74fa4ae7b85db81262022c6c7e0996884cdc0de3a6434aba3

SHA512
50cf259ebb5e4ad4a044571b3cd28e8dba9ddca367254bfedfb606b96a6fa86504a95d3e47308034686890d191326fa09c2d346c73b703a07898844c8b94b7e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b3144c036d2949266e7dc7ebeaee2859

SHA1
aa90db92f9d449c05bf5bc281bcec1d6580630dd

SHA256
c688f6db4ffa964f05d987fc13bfad18a8c81b4846b7d323ef1ea86dbb17a2e9

SHA512
0a0ed4abf2fd4dd695db50073eb83e3f4db4edde919402a137b09ab269c1cf3bd30a258c6a1a31419bef1869115e3530ee5dc4c35c719ba68791dd662aaf6b3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b1f5083f307b830e26573fd5d342e256

SHA1
afa489695918abb27abd0b359f40e4f69669218f

SHA256
326ff9e0ed74c590e3bc396c9f27ac19357495deeab402e18b07dc80b669cef3

SHA512
c1c900be5630e794cd5a5b91b9754acf7e71ffdfc5b88627d62a97b332c9e926d342bcb4206418b9e046eef87eca96949928319fa64051a144a2b4a5038ca644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577ec5.TMP
Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
312c274be4829b19c839f57cf58dced6

SHA1
b34a2daeb5dca033d3c1447f415ed5053f349afa

SHA256
30070680ccf5939447205c3de3e36e60975cfb41c49db45389f5966a872a11c7

SHA512
d8a3e95dbeffe00cc8799f93b50a49419b7acc3e5abcb8b67c3c5dd5ecd86041ef1c99b632d4ad8644cc3af91c1bf5a73766b85ca4dfe1584c83e03e4a80de5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
7cd3637dc87b14465060acf7071ef1b2

SHA1
1bbdedbaa4d39214115f46e8e53e46cee425c1d5

SHA256
5efc018ee69aaf49f0ec7378cdd9fd479367eed52095fbced87183f4f4ee57fb

SHA512
231cc6972a05d01ebcd09f9eeb567373f29927b4f58a0659a29518d49c18aca33438d8ab17a2e311a5f864830d5eb4eb716b73b197477383c077fd3b93e5d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
fb2912bf7944bfebfb5d0bb99bdcda29

SHA1
a9be624ffe9e7ad8429381b699c939586714e7e1

SHA256
46b417370c0d59e90955d077722e53f5610e04a99c1befcd3550ae4b25e45c93

SHA512
72a123ed2e86261f8686198f3cd98d2c2c69ff919f76d63409d55beb5aac186343495bd3f5494e6250dc4cfe1ea57ca087150a53a48b4d7c057eef2d7ae83313

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
8ecbd366f56e1ba0697ec2f3c1aeaef6

SHA1
d71c533de9e020e8fd4f6c4326248cd4b6c69a81

SHA256
3863d6a8ad3131298f4b6d0e58fb591f2300d63b4c19def6aa9e2acf732d1676

SHA512
896cecaecd90062bcd865714a3e29c4281941ff1533ce9a4fc00f866ff14d24bf0f17d3d50edd17a631baf4f407f866dc0f6e6839764a76cee2724a8450e6219

Download Submit
C:\Users\Admin\AppData\Roaming\d26e11e61ed82f9f.bin
Filesize
12KB

MD5
060504b2b8a64bd16515a6ea96184fff

SHA1
676a21f9ec99a610332d41a4bdc8a24b313c4b6d

SHA256
d9ea4012107b06aa7f890dfa735498e562f67f4d09c84f9ac8255d28dabba3a8

SHA512
c9b41ef6926c4621cf9fa72dd77bde0d957866c07ffea47f4798bc55dfa0e3734b0f641b157fbd49a89b89166f5b532dd9020784474687233f8c4d1f1ff10afa

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
732539af834fa09e0af49b359a8bac6f

SHA1
3dc618ddebec68ecd7324a276fa58381fab4ea2e

SHA256
5e0ce1c75b052de636c63c282d3b85ae3c45500d48b12883b1ae9f8926047e37

SHA512
42e116ef114c43e5360ca0258dfac99aa47b928c99b074c1a03352d6e0a7cd90b2a90f2c80490fdb1f3d18575c3ae06fd188809e537c5c18cf01974cb953a824

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
843fa5a996c128378915e7d300e305d9

SHA1
99f04bc9d74a118021b96320ee92839c016b6ac8

SHA256
27c2ae9206f0f64c78e587a6803acb0791761571dd3a7777e4aba37eedb6a6d7

SHA512
c740835a00bf1338950599122da347198b86994c7a4b16e26a5da4157b665c583d42c93cf87b013eec13f5b69566b9d85ba00edfa5969917f472672bb1862bee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
21c71557b613c7064be955cbaa874d5f

SHA1
a57573b9ed65006988dc01ffb88044c9a134faf3

SHA256
1233838fdfbd55a257c9d3d47bc88fcb720db611171e43f4b96f6c15bc21e59e

SHA512
fa69ee2a5c293cf53d97e3c21ec184eb895ac9ec53813d32be2dfc29fb20a740c7ef70347ffafde414fc239333bfc83dad60375483adde2632c87b2e98781146

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
753da4762a7eb32fa95817560e4bb9bc

SHA1
fdd8570e0e57549c8fa3291da7c1c7fa87ba2847

SHA256
3f1ef7dcd66520bc451adf846344334b3d5a90ad5dae03e92584246a7ebfd56d

SHA512
4bc8a92c152dc9d580b47b2c46deb33d64176f70e0b49d41970dd52ed64d9d8f1d39273ba07c3bcc8b19baa1e9eb294d892f675d5070d5050e51969bb573c436

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
be900b16cdd4a7c4d7251737933264f7

SHA1
318201f7d09c3bce74e5c1015da98b0d4e5f1a6f

SHA256
64acbdb3c43a3ef08f8eb327ad4febe426e8a3edc2548020c3122b9586d7dab7

SHA512
47b9154d887e0247339840274eb48c91b4dc8bc5c31933569721792fac001e6fd2b87533d56d17efe32ee995669138671d720d4cc10dfcb866b3a61db8d40be2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
6cdbe40763634d58855dd642b5e94ab8

SHA1
f3105d05ab16891814951784773017d3b1f958be

SHA256
8a1fecb4ea95cdbb36fc45ee274ee44cada2f0e698215780f1c20a4b0d171183

SHA512
2f0ba1d70f3168c99704dd34915384d6bcfc92f2404f37e97cf34414d3fe64baae4f9aef62813835ba0ecdd088670cbd1a2da02073bb9f71bcb2d90061fdf01a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
bb1fe0cdd54c3ca1af3fea1dc325bee7

SHA1
4b819477976c9389cdc7d56d7fa726e3b05d285b

SHA256
5b08d8d953019c6a28abc8f9536cf36a3e34eca6f0eee1f852a40d3a5fe0ff59

SHA512
64871a04b4d5c655488cb55b35ece7eb1a2a4445756c3dae960156a7b555dbce99bb963985befdb784edb63e5312fa284c5299640e3ebcca1e1c063ab6b8acd5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
788156aa4f4a7ea37855b609669f577a

SHA1
02b385dd0bb86b83819b717d49c2558c4c40859f

SHA256
2679a2b0b2ae2bdca6687dd59eaaff731720e687d9722880156d996e343609e5

SHA512
f7b904ad41898636cac35847bb90478961bf80faaf30609bf23590da7adc405549184b0d45aac1e22c81720b8fa7413a65e0ad1bf1d916ee2c8c75ccaf911e5f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e04ff8ee1fc42c443070cfbd2bec80c2

SHA1
e6fcc404ebe1181decc5206e6c050027e443c523

SHA256
ab678162dfce07e1531d50a63c91fd87f7613205bd9c0f50ce6c1912d7dfdb78

SHA512
6289eab1939fcc6d1925991d76865f12ff4844949590de55242877b18a1f56d5ac15a2470274703a24b14524903c481b0ce2543d93515a2eb41dcfcd9ed55f8f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
01674773582713ce251fa1a386778de5

SHA1
2821add6424ef3c8ab708c3fe6c0f71d4921d774

SHA256
39fc89f9487017c916982e1a2c3bef9c3993bde4d06ebab4de6167cc20fb7930

SHA512
c8ceab4c334d99413d49373b8f08e4fedf803a15296b74c38d2d6e63525f550a7bc0ee53ac851c6af8de91de96d720fde3ef1d48735c88523931bbd5fe6933ac

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
f6be2e604f0d449d93b6cea4ab344513

SHA1
67b234bfb18da9da55b420c18670dd1509ac76d8

SHA256
34f2e94fef82408adc3ee68dee4dd166d1d772c22386d7eed8e5cd6fa90d675a

SHA512
f54e35eb1fb2490c89a082b6642a1d74dd3f5543b65344ca0e40ac81cda9ab2c1f1ace97d96e0ac16d99b867c906b480a780cb704110935ac266e148bad26923

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3e250beba85f01f8a6b692361f6a905c

SHA1
0117dcad058b021649c0ac77aa357278b08fd1b7

SHA256
8291618f254bbb5517061b6ca206b53a533a35adb773adb1574f85910cd248e1

SHA512
e3cbbcbc81651fbebc12677156138762f8a26bae20ac5c4efc252ba7838ea368ea0d169aa4f68b55687eb7b863692483f7530c191f5d1b53172aacb191c12ac3

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c6a1bbce62a628b85bb2e629992c8703

SHA1
894d9cd445903e386be3b9af92204cdb8b06f5d2

SHA256
e74dd42193524797bb9e635a823c4f2b7ffeffe52fc0f0f485a3b71f2d33b867

SHA512
6f508752c7ed1c4fae7c3e9f8e76cd94a6bcd8ba82166c47cc6a84dc3410217637c4863d02dadc5f1ad729f9b540a7810ae0ef1d252a464ffabd45e270ffeb99

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
ae2c8c4b70d8a072ae152889c8b4e59c

SHA1
35f1ba2a63282dfaabc3231aed738d6b428a4975

SHA256
1f31c6a5852eed77f287f1159213d1e25161d5822e3d7b72c0f9c389060ca6dc

SHA512
909ef1d18dff0198c7971d6b97220bb83eaf2d674b6d768534191fd865d302b88442ef56c359f6ee19c6df49f62c68e8942271b3b48f3ece021a6815976b3941

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
17596d38d612f2cd6c19d32191f92d09

SHA1
2e2d7fc2d89ab025870869ca3a6301421cf2bf80

SHA256
3720daa2271d91e1e399ea05e41f45405a31e43093d876c2405f4cb2afae7330

SHA512
a8519852b7b46bb3b0ac743544fcf3b2cfa0e873d9d5638e92791553c4902cc2b3e1ae0c39477762e9ac0007e4194505ffb68c0aece462a2ef3155d1c828d14d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e8142978a98e41d059f3156d676b95b0

SHA1
ff8f3b8e8c1edb90a377cccecd7d9bf558564fae

SHA256
c8f578d96c5be53f7c7f252953d233922bdac335dee8c7a2af7fc017e7ed4f99

SHA512
55b365bdbf283f5cf721e977c68994189ecb3d69278a1b6a2d949edf0e784b739c561753acfa5cb397021bd605648f6eeed6df81beac133754e7411711cc1018

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8d87c18767355a2e2b58ae1b31815c24

SHA1
e4860be936ffed58983f2b2ae60fb3186673c9ff

SHA256
dca85a85708f498882e36d376e66c8372e7321a7676ac0e37254f4119a29bda3

SHA512
409a14d7be359dcab9fe16756d83533b143a10cf93cc0fdc491f44c4b57b3ed00ffb1180fd4cf8239312775140d5675db927113847cb09f3d46c8bc4d059f96e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c7dd495f7de681d34ded040fe28be2e0

SHA1
2a86f2575e731c3e67ced33523159b7b65bd1ca4

SHA256
2f91ca3aa7114c3c5a9db611c5c6474088d6ec9271ebbf0cb7aab9571e28bef2

SHA512
d9b5c0b1e87aa231c659909b05d9133c02e5963ccfdef271dc36e7015d782375c23978d8e1a807e0c0eca96fd94cee77df6af9c319bd6ffb1c60730a2f104d20

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bde0922bfb736f21695875464e361a42

SHA1
3cdb38e236ca57de1e79ab275abf85e7a71f796e

SHA256
d7e53e002e3061aa9e814a2aa1add3db9dc5243953c1ed612d43e0571d888bbb

SHA512
14f188800eb01ce20a7eca6d1fd72f31c3d8c171ac5a37ea671b15487f94c8b08e9b4844207c2017c456f7c407493a970a3611a17781390d0e3a14e18a72a933

Download Submit
\??\pipe\crashpad_2664_MQGYXZSGNCZUWUMW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/324-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/324-0-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/324-6-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/324-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/324-36-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/340-227-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/668-141-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/748-260-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/812-348-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/812-75-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/812-69-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/812-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1300-220-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1412-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2492-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2680-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2680-47-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2680-55-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2844-228-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3268-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3400-129-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3604-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3604-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3980-534-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3980-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3980-92-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3980-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4036-221-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-94-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4108-637-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4108-308-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4252-261-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4252-633-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4304-219-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4600-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-79-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4600-66-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4600-58-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4660-259-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4660-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4660-30-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4660-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4660-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4824-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4824-18-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4824-29-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4824-218-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5040-223-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5112-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5392-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5440-719-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5440-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download