23557dfb5937629b6246119a6b6b77246815b4d1d460e0e04eeb96ef56677a08

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116789f67b073f4e38387ae9604bb2f0.exe
Size

5.5MB
MD5

116789f67b073f4e38387ae9604bb2f0
SHA1

da7a9734c9af73dadd37984629391ead821ee1d2
SHA256

23557dfb5937629b6246119a6b6b77246815b4d1d460e0e04eeb96ef56677a08
SHA512

187d621421757d58223ee3d56c3bb02e9a1f817ada0e89d7bbb53e7f76d0ebbf46258a3ee4e1a5d6f66f668633b81bf7de0c661d8bd93425c8999c86ccea69b2
SSDEEP

49152:pEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfz:9AI5pAdVJn9tbnR1VgBVmvXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2632	alg.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4668	fxssvc.exe
2940	elevation_service.exe
1124	elevation_service.exe
2552	maintenanceservice.exe
2648	msdtc.exe
4144	OSE.EXE
880	PerceptionSimulationService.exe
4784	perfhost.exe
1812	locator.exe
1868	SensorDataService.exe
468	snmptrap.exe
3296	spectrum.exe
2764	ssh-agent.exe
5008	TieringEngineService.exe
5004	AgentService.exe
4748	vds.exe
348	vssvc.exe
2848	wbengine.exe
1028	WmiApSrv.exe
5112	SearchIndexer.exe
2776	chrmstp.exe
4812	chrmstp.exe
5784	chrmstp.exe
5828	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\System32\alg.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44fa559fc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\locator.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	116789f67b073f4e38387ae9604bb2f0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	116789f67b073f4e38387ae9604bb2f0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	116789f67b073f4e38387ae9604bb2f0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048ee7cfff6b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003289b8fff6b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b2978fff6b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2b0a0fff6b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0dfb200f7b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615912705876290"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe24d5fff6b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
2288	chrome.exe
2288	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1312	116789f67b073f4e38387ae9604bb2f0.exe
Token: SeTakeOwnershipPrivilege	3888	116789f67b073f4e38387ae9604bb2f0.exe
Token: SeAuditPrivilege	4668	fxssvc.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeRestorePrivilege	5008	TieringEngineService.exe
Token: SeManageVolumePrivilege	5008	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5004	AgentService.exe
Token: SeBackupPrivilege	348	vssvc.exe
Token: SeRestorePrivilege	348	vssvc.exe
Token: SeAuditPrivilege	348	vssvc.exe
Token: SeBackupPrivilege	2848	wbengine.exe
Token: SeRestorePrivilege	2848	wbengine.exe
Token: SeSecurityPrivilege	2848	wbengine.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: 33	5112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
5784	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3888	1312	116789f67b073f4e38387ae9604bb2f0.exe	83
PID 1312 wrote to memory of 3888	1312	116789f67b073f4e38387ae9604bb2f0.exe	83
PID 1312 wrote to memory of 1516	1312	116789f67b073f4e38387ae9604bb2f0.exe	84
PID 1312 wrote to memory of 1516	1312	116789f67b073f4e38387ae9604bb2f0.exe	84
PID 1516 wrote to memory of 3748	1516	chrome.exe	85
PID 1516 wrote to memory of 3748	1516	chrome.exe	85
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 368	1516	chrome.exe	93
PID 1516 wrote to memory of 3664	1516	chrome.exe	94
PID 1516 wrote to memory of 3664	1516	chrome.exe	94
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95
PID 1516 wrote to memory of 4652	1516	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0.exe
"C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0.exe
  C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9052fab58,0x7ff9052fab68,0x7ff9052fab78
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:2
    3⤵
    PID:368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:3664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:1
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:1144
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:2776
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4812
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5784
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:8
    3⤵
    PID:1568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1932,i,142496358775573500,3313778805304639784,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5112
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cde4ad6fb23387931fee8f0406b27638

SHA1
48a7cc4c20e774afaa4af5d998c8643081543dd2

SHA256
81cbfd407bb4dca0c009902c4b191a9f76b00904fc15f7472059ddab43a2969f

SHA512
98393c819abc3b13929bed1e71d0eb3bc787f0abe20c7b20c71f0a70fe81a434ebad86ba2fb44dad776123bdafecd5c5364d0da62a2ad3d219555939c7dca2bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
bbd91fd2df0dc03d9d735d4a33af4ead

SHA1
3bf511d5671ee671be81257aa9043edaef50d94a

SHA256
0ba04dfb2f5406a601c69e76ba46e1b4cc9a76ccb03e16c4037f579245f66d2a

SHA512
9d8ab3bdb0fa8ba8560cb28521814325da24acd52a239d0315abccc92d1c7bff87d5ed89f7448bf27f4867a5a4d7b63da08f5428903c60986ad8a8f312758ba0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
98077fdd0688a5f0ef8ce2752cd46d86

SHA1
21f34ae2cb285ff7804b43dd078b300d29f134c4

SHA256
2ca6f4e2a4f308bf0da926dc0cea12f0ff4b83955e95a98df5002e605f8d7fcc

SHA512
4d2d79462ecc31cd88979170aa533431743d09dd588b58c3d67cbce010d91809078fa6bb60c3241b022cb2196251f6755359d0e6a59c0c34417936d2babfce3b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
039c1cac6159fcc3a50071af9cbcc9cb

SHA1
d65c8b3cb4d8e6f3f70af3dcedd51c661fbfae2e

SHA256
a4e3a479ea5f40d82985a5e17bcab655a4ed73a1099474cd92c1f900067b62ff

SHA512
39c4c279f2b20aa03228e216fbef058c6d85d62e9bcac7f598750696425a777514e068263a23125a8d219afe4e6052225973639507eccd883357dcdf22a23b19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e7721489efec1a63df249d81004ff0cc

SHA1
4df66b34dece66b73ef7963a096c1bcaf6fbb994

SHA256
7ebf9cd033a7b5daecdeb55e59c730c9fbebfd25d4c7ea4cda67048c862ec55c

SHA512
593e53493760bf1358c3c5fdcc7d1ede2b487460f7dfedd2edebb6f505566012ba5282d963f1e813f43bf7295f8a61f822ac188b364bc24727d6312fa990a401

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c21d29cb-73fc-4a81-bd18-504395eab07b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
82217eef8e8d1d9a25531756c5ced916

SHA1
743f39d3c7f1de8c9e5235e1c7ada82294b4e304

SHA256
cca977e4a02f659fb13cdb1c9c44dc4b8a815b867389d1eeb9a0e95db8631ee3

SHA512
b3ee4acd61a3d56e2a5052690736f7e5a59f4a6b64125983a7a38990ef0a992aa377c50da8638820fabe1f380c22888e0ef7b539bd84431a1c3c9a41e37670f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
778297b31358c0b293cbf30b65c43e91

SHA1
75951e0fb7da9c7a3f674a1d7a16d847ecdfa735

SHA256
32c3397b78e770ceded368dd56ac19854377a39f7817dc4a7558ef5d38c7a984

SHA512
247001b8db7751780a1263e8ae6a4d8ec9b768cf26f79e4834961c5442ad3c8b4b460c6bb1d40cf3fc3dc64d55969962043987a04cbb06974046ba431f987e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cdcec84b510374d5399f99d542677aa5

SHA1
fc0a3b7ab54f4b7d647df8433bb7a94b6784c219

SHA256
e245793abc35d37388211ba2e0e49ee9843804b45e8f3b472d5c8b6a719d39a8

SHA512
f1c440bb9ef61428319fc7c1125bc8164ea45ee07823fa17a628909b594ea37b696db076b399aa2fe0cd3c0946b364826c51bc8d911bcd8e457e71b129e0124f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9b788a7111d79efccb4063b94b1c8534

SHA1
73c0d461a66f7077464697a7c2a39d20a08a0f63

SHA256
dbb17c145d5cdc3fc220424fd5b3dfc4d7cc82ef8bcc1dfcd0183086d36bbf63

SHA512
923d6a7ec38f033f57fc2f511565922567e0f894c41b561a4c8e0ae083c70a0bfbca59ccaa2fc5b44e5776b37da189a0ba22f40375b3395486da306ac58146c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577bf6.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7680e260f5618a6c2b4dd979acab6112

SHA1
7682bd453201fd20f5c153bb796e9827d08bb3da

SHA256
43f30e08707cc84da4956e7f78b433f70d350117663441a95a478f1ad2d6ba65

SHA512
527b5f6b1e1570f61ee438ac7ece69e6ea85a92456d55bbaa610d6519b60f56676051d48019a7068f4fbd5e318521b7560c8d06af7a50be88b6195920e3e4b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
2cf8799e2a3e8b0ed973fa894576d953

SHA1
f8af42663e3c021b2b28261036b0b1f7783f2137

SHA256
6a645816101a32f2949204720ac3baeb644ca1a140445ce2b31e46228e0bde8c

SHA512
632a39f3564040058477a612d01222b06d657872d7c5a1d7432bbf4119b64362ed7ed3b304b8b2d3d52ceb5c48a4a665147eb6283a1e9e6343348aac22aa9cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
36d427f4caa344b73993b1ddecda7af3

SHA1
a5c3f894b45ea3d24e130749c08f700d61ca1feb

SHA256
15824d48a671bad5d1937cc9aab51e1201bffb03b9a580a669a778a963ad71e6

SHA512
aa57a5c56c1f8c282e86f5f58a706b324c41883eadf0beed65ee4fe7cce93d7942485f892ac57faed5dccd26acd2190e522a3e3ed9bc2456e0e7129df4c2925f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
283KB

MD5
fa91af5057f7ceb0b2cf124640d395b2

SHA1
85ef1c02e7d05b92a2925613908eba56830b2021

SHA256
a50ee2d688fd12a52d8bc2139c2d631dc1db5f9203cd79d5b687fca78d1c7303

SHA512
e95b471cca85776602dd70463f0e3911efd49998711d96a1644eaea3a794121263c13bb38daee1e968a070d27479f64bb17d1562f98f4c68f0e9d210c6aeaaf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
0dec1f613f7fe62c7c6a39fe277db2f1

SHA1
e39a2d1bfed8e4f7b5699a8951f11379360a7be2

SHA256
8a5d462ab1c4f2c29dead1be8fc16f650042d9fc16e3b9bf410af53294c14549

SHA512
48f5222aa9ad1640386ceda5c9ab60d5d79eaeccdc3989d2fcf378cd7fbdca86b4fbce49a85bf5524594d2ef9c3497473ac148159e8be420d18b77c3aa9ae7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
a85fb43079c823973b8466b6a01824f8

SHA1
3dcd506bebbea8203f78384c17fe3a1ea62d16f4

SHA256
9d0a883461ad1a96e33b6d0416fdc0770af8b4ab500955f043f1e8e1eb95ec00

SHA512
87a5c37d338f970b34cd30cc285f9a718ae4585507857e531f83b79ab5152a779a899e5b8cc679111752b218af5c274434473b2cc05093e78de89f13cb3a0579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57eed4.TMP

Filesize
88KB

MD5
f7b7ff49da6d444f958fa4ada02dc68a

SHA1
f73ad6ab3375796e0b692467937450fbbf031b2d

SHA256
accf41061febf85c3656540af6441f10e06cb877e61becc0137f501cfea862a9

SHA512
1436c48f6b87bab9deae0ad9d296b32c02b9e0eb8b066833f1020192f162612f4f662dcca35197c65157cb9e900e2e62939745e471e1bb8ee39fdb522ec28138

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3611d72c555f0f9deb6eaa053c21930f

SHA1
df346e3fd2e0469d3d707b81b87183fc6629b480

SHA256
b1f6a1a7040890f48e56a3e0ccb286848f5e86103ff67959e886dab9da01ac74

SHA512
b3583ff00e3a327e5ea084de8eb92a9efbd84ec45a5fd840efd79e138d95eff10ef4935b7c6553f55fa7751c3b08789d12193cef313593530417fe66c10737a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1415a516c4c1b3099ace2f37e9b0d211

SHA1
8ba65f7e82bd3893d6d2e50866b1ec5219b5a2e6

SHA256
2c76f0d60ea8af0b759d2299e6a43e6f704abe7e3ed3c2f1a2fc86a05d15ab35

SHA512
73cd2bd994f9cc0b6a7333ab7540d0786cfe22f03779fc93b3d62d1bccbd7f62be2a5ba4f74d5a2d5b41083dd21666bcb59a3b1a12897e8197279dd65678f574

Download Submit
C:\Users\Admin\AppData\Roaming\44fa559fc3136770.bin

Filesize
12KB

MD5
9b74ecf63fc4ca9da6cda35a2a34a1c9

SHA1
7f65c9630fe08837984b9c5c23cda74ed0eb671a

SHA256
424ad88205c7552645bef3ea5e923c166d7249f19b9153b9322ab78a43a9a71f

SHA512
7e7c2ba0ff4e616fcceb64e4521824c37508a2292d297386e406fa41badc5fe891bfa1df2fb477e5dc354b19c4d65c8efc2cc8bb527d3953681995ce4c8996c3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c1f5fe99268804a68e67344fa208666a

SHA1
072b05d310a5b05dc9a506f9bf712d4081fbbac2

SHA256
6bf73a14b6147b4c4bba50fba5eec97f44460330a62a97ac741f236867f8dc03

SHA512
afdc499113dc2c0ee0bb5b625a59fd68fa93815b9069e1d867c6dc6f5d96fa3453cffd2037a0ade9232745a80bd42466955dc8065e878718c1b4ed4e97da9e6e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
22d9b7022266c90730da06cdb605de2e

SHA1
2ac1d482a55956ad556d1d7357bb3f7992defcc8

SHA256
b9cd91381c17efdc8a43ca9c7f019e3e0bd4d40479bab4365abb3a581c6576e7

SHA512
d90b8d2e96c358eb2772ad7b373349f88a782cc332fcad4e4e84a8486e461eb2f48f9db32227c304a3d81d67ab471cac4456f476c1a04bc059098fd13ea1118e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
10928c76430604471219735bd1107487

SHA1
36e7f77002ecefe3feee1c8c068fe7d07bb8a44c

SHA256
878fdfb693b0910170ebdbc44a7a5ffcd7c058a38d6fe5980ca358f7d14c56b8

SHA512
7619129204a99a75a77569a6dfc767b2f086d65a8b5a530900fbfe75cee4d7d95884df378a5bdf91b7a601aa6e20fec06e811c19a6cb8ea40c96d21fc9eefb57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
917b87a119c37271146b87821285ae5e

SHA1
35609bb6249227be80d220f5712a1828c1093997

SHA256
948c6f83389235ecc0979df94ab1a89732987e385ac45c3e55517a1895adb957

SHA512
1212217378a74c5b080f31d2b9f2cf1257a379c2dff616c96d511c72e68c694e29db570805091a2d06be0da372c3b869f26cec6b6c19f8a77cb1d5866b0d4fae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e93ee88a9594a15fed5449c5667f1a76

SHA1
0b428c92f81ae594bdfcbaf6867c10885adde7c8

SHA256
fd23cae73e15f2a55dd5ae09c46e0096bacda842da580585468b371556488b0a

SHA512
b45783f5e6f2b4ac7e0e66db2fb5e2b2f92b669446b57fee44da817bcbfb41dcfdf46663b4059ec1aac2d71dfc435bd2d072b920e06419671d145d6296abdf72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3effc191bc65e6e39cde40bfcae45c73

SHA1
03f68accbaf7891827f95977be355f69ee55f8c6

SHA256
0f9fb143acada1345dd21876be55f59222863256ba67ba32251bd0485d29537e

SHA512
a6ecf3c4b7507ab18e96d779d1fff5d9faf3cb009ac06f382cf71fa4d5ac5fd6f6e435ba075330f48541f3c50e070523bab6db785dd99cecb9611f2cb259c72a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
34a5953d279702b5e644e4e3b43f653a

SHA1
404df9a34b2a23d1b52349f638ba6d3a17d5cd07

SHA256
b7edc59297507ff33e1ddb72a3274e80e5d2c809b679b4a589146fec37deb904

SHA512
9f793d9ce16bb28cde53fadd3c768665731ef5a3518258cf371aa33f139726c730f867a3def35e791d15ee67e5608f1989f57c835d44706eb45a22743b09c9be

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7b543ccd97f3eac686836593cd9399ee

SHA1
f50c5a4723f8e95493ec81bb0bc0b1e9a363a133

SHA256
90bbb08bc30447c9f2eeb01f29baa5e0846f3e8c09c8bc3a48c181b1dda863ee

SHA512
49073a75dda8382869465d72278f8d1fce9fcbe03056f9876c2697f3591d4cae7c6f8504acbd52972ff568a016c6a74a8c32ecab80d193e79b0bea6c2cfb7eb1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
71f375903398c71e35ec144d6690b286

SHA1
dc5be3fb2f5f3a03f535256ba0b62b6998aac45a

SHA256
dbb3836cd22dde813b2bb061623fdf94de30fa79830f71f7e2e21d1c7a6d77ca

SHA512
a4c415825241fc508f6327bce739155a1010668b2935dbdc62ef59ae96a5fe8a5198ac9e84719a15fa5147e054daea2a4976f7b377b21d5701a3acf19fc60595

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dab12602e96839d7bcaa895f15702e31

SHA1
b0f79a58f7c7eb3079790be0ca97644112bf0fdf

SHA256
41055aedc889c7e5209311b54564c1ed32d0cb138e7bc702b6f5f1f09da13eb8

SHA512
d56a8c4cca093c949b2e97870f236e6ecc2a236ea0dece11773cf174a4d0d3de6032e23ac8b69d4f7a26b6df1d51fde67e298fb657ff9c6acdfa6e9e85c796d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ab2b9c58850ec55aac80d848120d593c

SHA1
f840ff31bb102d471c1d0de05c56750c952f90a8

SHA256
7cff1b970ce0b8771d6af1c75eec3cb88094e534d33589eddaf95e58127158da

SHA512
8598f7cfc925367632a85b17bd7a7a632074e742e329388087eff8483449771dbd9bf6bdd0e67997de1d1262d4057df1d7299e6ea7920ece0454776407518fab

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
60b71a2e35f23d542a7228183526fc05

SHA1
22ef0a8db0bc3ee4479cfcfdc4923ec2cfb656be

SHA256
c42b01f99b1a26c56573af3524d6e27b5f434ec2d343028f84beb9e13bbbff2f

SHA512
90122b3ac591a8859f13986e9a9f192d2c6fc069685497ebc204bfca75f7cbd4682679d7ad85c0e5d8e5cfd9fe025a91789eb182e462942ab3bd5b7e458d66e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
bdcaeaeb5505128a22594c362790e2f0

SHA1
3437d061ebb939a72bc966c4af762a0353153d37

SHA256
396c9160250e129acde305a14bd49d3d283cfe41e408dab73533c3dec8dc2d79

SHA512
cb9dc8e6e581aa66e69fa84ba4de040e299fdf69aa0b31e8cc0a7e3c11e82455f54df12c15220b5cc4d6c54f46e13fc0c40a01adf78e7bc3524b1f68ade36616

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
5fa5c656d9af8624cf109b796eb63b5f

SHA1
a3a97d44cf196de332bfd912e9a7e2e9951dcd87

SHA256
ee5ea7f3f6f23f22c393a203786b736913e7a546a64f04c49a66b572c8ea9955

SHA512
b084e5410ea742cc5d9870e8b37061389eafc0500f84960d96bd1f990fbbd70c6343039d7a1294f2fd2ff6d1c001b9a6ca400a7e7a97c206f27a4af892f3c25b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0f6388060bd2dbcba9f8547c53161e63

SHA1
e30e0e6bebbcc99c8e1b806377c959496f463190

SHA256
1796f3d07d9e5327e995fa13190700843ee7d98500c447103779b3cb03976e78

SHA512
250675bd008ab5210e9d24d36c6aba60f0731d2e02f5d5d6361068ce797fa5217b6e133ed74fd35095b1b4f3d787c56397d082163088da65e4de6a31223a3879

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ebc6ecc13633609f903726de25840c35

SHA1
0b044e934ec87fd5f20a6b6c11a679582acd2c32

SHA256
f7c9bb31f6834fdfc5cf0229f95ffbd5f4e564d293f541b9b97d37f3171f8e0e

SHA512
7ea3caff45647cfccc418d10313952354aaa44f66c2584e1a10e4b9a38aaef6d097c71aa53728879c561976616d96992261f7f01fa5a95a9304f032c721493c9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
63948e54eb70a87cbd9322e2a0dee0b9

SHA1
4eaaf5d6f6641eddc769d00f0525537c45c6a858

SHA256
4f5fc63348394782386b6db06ecdf4a0555318329953007f087abed9637432b8

SHA512
2bccc0562ea43028c8d70e5cb3eeeece874f1089b7fe933341faead3d40d1f9b808116e2d08bdafb71f3c418acba528c449a985c5f7a4c5768e99e07586b5809

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
04fef7b434272a226f8c28e2fc6352d4

SHA1
e5391b31893d0f7872f506ffaca42ec5d6fd4d0c

SHA256
eedd40275e0768d89cc9752371cff735eb7fe34b74331e4998dc4c36cf7f2fbe

SHA512
4f2b7a737942b342e81c3da4bddf9080bb396821bdf19fba47765c81b24e2cf587dfe165a61c5858adfac52bbcfff119171cbb0644c804d41498655c67439d6c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/348-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/468-241-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/880-124-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/880-138-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1028-268-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1028-574-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1124-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1124-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1124-468-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1124-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1312-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1312-6-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1312-22-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1312-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1312-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1812-152-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/1868-240-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-515-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2552-85-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2552-72-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2552-83-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2552-81-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2552-78-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/2632-33-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2632-448-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2648-120-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2764-249-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2776-430-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2776-511-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2848-264-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2940-139-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-69-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2940-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2940-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3296-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3888-415-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3888-10-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/3888-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3888-20-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/4144-541-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4144-121-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4144-117-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4144-111-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4548-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4548-41-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4548-44-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4668-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4784-151-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4812-437-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4812-608-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5004-183-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5008-257-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5112-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-607-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5784-454-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-499-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-617-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-469-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download