52d4dcd3dd551fb7569191ec97b41d3c58c19623b0cc9dabb53a98ab03c6c68e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
Size

5.5MB
MD5

2aa99360bb60ff8325716cf078cd304d
SHA1

388476fce6a9cda4a892d05859cfbd33a37f78b0
SHA256

52d4dcd3dd551fb7569191ec97b41d3c58c19623b0cc9dabb53a98ab03c6c68e
SHA512

38baa95ec0df2a964b3ea1e175f3f66164d82047c07460dc36941fecf11975b1b946c22a5229ae048a0cbef00a76c98d831e01d0d7928f0013a04458028bb38c
SSDEEP

98304:6AI5pAdVJn9tbnR1VgBVmiUyuFC4Qmd1:6AsCh7XYxQ/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
540	alg.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
4632	fxssvc.exe
4028	elevation_service.exe
1160	elevation_service.exe
4760	maintenanceservice.exe
840	msdtc.exe
536	OSE.EXE
3408	PerceptionSimulationService.exe
1664	perfhost.exe
1928	locator.exe
5088	SensorDataService.exe
2204	snmptrap.exe
3416	spectrum.exe
1032	ssh-agent.exe
2816	TieringEngineService.exe
4576	AgentService.exe
4364	vds.exe
3656	vssvc.exe
2720	wbengine.exe
3080	WmiApSrv.exe
2176	SearchIndexer.exe
6012	chrmstp.exe
6092	chrmstp.exe
5136	chrmstp.exe
5328	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\80a8d6b1d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000887ca67599bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042d7437699bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005da48e7599bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000267bc57599bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015cc957599bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d2e917599bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cb4df7599bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
5208	chrome.exe
5208	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1616	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
Token: SeTakeOwnershipPrivilege	756	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
Token: SeAuditPrivilege	4632	fxssvc.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeRestorePrivilege	2816	TieringEngineService.exe
Token: SeManageVolumePrivilege	2816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4576	AgentService.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeBackupPrivilege	3656	vssvc.exe
Token: SeRestorePrivilege	3656	vssvc.exe
Token: SeAuditPrivilege	3656	vssvc.exe
Token: SeBackupPrivilege	2720	wbengine.exe
Token: SeRestorePrivilege	2720	wbengine.exe
Token: SeSecurityPrivilege	2720	wbengine.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: 33	2176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
5136	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 756	1616	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe	80
PID 1616 wrote to memory of 756	1616	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe	80
PID 1616 wrote to memory of 1952	1616	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe	81
PID 1616 wrote to memory of 1952	1616	2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe	81
PID 1952 wrote to memory of 4712	1952	chrome.exe	82
PID 1952 wrote to memory of 4712	1952	chrome.exe	82
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 4628	1952	chrome.exe	93
PID 1952 wrote to memory of 3448	1952	chrome.exe	94
PID 1952 wrote to memory of 3448	1952	chrome.exe	94
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96
PID 1952 wrote to memory of 1080	1952	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_2aa99360bb60ff8325716cf078cd304d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4491ab58,0x7ffb4491ab68,0x7ffb4491ab78
    3⤵
    PID:4712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:2
    3⤵
    PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:3448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:1080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:1
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4168 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:5836
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6012
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6092
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5136
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2356 --field-trial-handle=1912,i,11497521847102033812,7111548967960584097,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3096

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5712
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5287b3ade05a22762149271526f6ce10

SHA1
d4c91d2814fcf9a650313bb57e5eeecc18f3e666

SHA256
fe2f1c462ccc23fe9c18ae0a9c22f117aa2d8ef9d01ca745875dd5d63d5f26bc

SHA512
2dc4f6b9b159a95a0cbe3092fef7ee4dab6d2a633c7cfb788dc33276709bb23d25d5cbd44a8f469bf5e55973472f4b717a19421333832415e05a1a601c9ced62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
08b2dcc492dea221faa95444df16a41d

SHA1
ca0918c7d635c11496708156e94a2c09000d229f

SHA256
4e1b6d386b1e98abf17ba8f2f6d3d8591e0d9a21b48fc2b60322755f16ab3cca

SHA512
50c3b1339ab5cbf92eb12b2adedac58a7c6395d3f9f3e1df35802c5726764ccab011c3d617c3a6408695d209ec123c6c65d26aeb362e373462ad9e9db5706e24

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bc802a1656160f63f797c02f8e4f7c7c

SHA1
1c5bca079410324ada3aaa533aabd6bc80ceea6b

SHA256
65358285f81b9b2161017915171f7dfab5093a15b6c131331efba0030cb80942

SHA512
0b19adbcd280cedebb7522d4365453b0d7f72e6f7bc5b69b6c00d001c4424662235ed22b83b41a89bc3ea48c42ee7b150dc78efdbb47661d01886099fb2d4128

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f2dfb4c71fa8a68f6113e3f554f71be9

SHA1
8baa8a95040a9a01f27439ec443ac91569a53c0a

SHA256
602386f13fc95dd42d63994c48ed0584fa64e40ab06df71f7f589d67568a1c74

SHA512
c7be5ffe87a299aa9f93e9d4ca3683f3b5c249631671d84cdf70cce139040b5c9d60cc0c5fb88170ec584a58c330636769d5d1396eb0fc53effc1aea24353167

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
223d793acd800fb2a23a5b8400062497

SHA1
d7ad1d6a9a7fb8a00ae612dbe59307a1d2875d88

SHA256
c0e7203b90efb9a3164c11979944a746a1b52a09135182971656736d34499e80

SHA512
ad66d3cf9641e34184233d28a596d5261da39d489e1021bb15057c42718d560e958b87a1250203b3e7f95420ab0d4faf60f1edc0a64bc3a72cbe06bcf4767a5a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ef9cf9b1-48f1-46b7-8fbc-d5e9a85eb719.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2a2174272a0f8e949afa8c6f7adc3bd7

SHA1
7c269473769976583027ba15230bb3c75cf573a1

SHA256
95339c70cf723404c0cd06d4931c9eab0a72f7f8eec6d4d5b37e10e87ca01093

SHA512
57c81e71058d0ce98a27180189bb15b783bef36eff89f8f3f442f108852b2509de079246af5c4e5ff9e83f29fc27950b8249fe3c2f4658978972e4cb276f5284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d05a976b2d37e7de8980b002922ca249

SHA1
f2a48a2c555c35dd29f21fb4352791614696a036

SHA256
e778cd10401a026891451c520ced17318eeb37731725032e09c1afd8c5c273d2

SHA512
8071078c29335f45fc216caf4b2576748edc63ffff7e50e74f6f86c20b33621e71ad0f2f7ed54ecad7cf38951e1059750dc835a967361711c27fd6c0ef4cf1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c61dafb1c636e97ab42b7635edcb27c9

SHA1
31f7d7875bd95aa31fa2ad174930d20144072689

SHA256
5517cb121e84f5810923778661dfff529f5bae503cca639b2729053392338a89

SHA512
67448ea5385f009b519829818b1a40ead0c5b9969d7209dfb6e09af1977f5f80d7fb175b32e4ba53f7b61c36831c48790c40ba0d451276f49a0f33817b851409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2d5714e23c6a935f04645b65451ebe50

SHA1
f5d24a4d3b2a4a021a52872b13c3762e080e58c2

SHA256
40faf73c61bbff2929af6c9bbc31b5374283a9bd3ce7800e0263602991e2245a

SHA512
3faf9bd809831066896ab6e319cb1726a465efac0e1e1bf8eb4fb3ca19fb6e4db103c0dac6b009cf98dd67bff99a7e27b2047cb95f818589a944339f4fbc9353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576a43.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
99e1d45fa7d230b152e26fcac9e0468b

SHA1
03fac1add613ce640ad4c7d5220dad61ba610d1f

SHA256
3cc2cfee616506ba8c1ea349ffb731275012331676593b876beb111e529e8e54

SHA512
a9f00431039beced05c5ef6b5e49596a787ae3674cba63b9ae1fc7d9cef7e1756f3c985f9649498eb3c4acbbc45d68a92f07145019237f590473c182d4d69317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
a19141c549f93576004f1276230ba427

SHA1
1da37cc98adfd29e9032b3c0c6ed7fe66f77b36a

SHA256
1dd4e5a39a46f207749ffdf4d9a74382250aabc1c98b52698a94d7230d01b336

SHA512
7ae26d52216cf977cc159e9bafe21ae2da13685950813c4088a8cd1006804aae847517be25f39f1ea118ee8f76b16d5fbc1bb671124fc23d22b1d95a9fdf2c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
fd1b98db144bce2a257d4af87c573bca

SHA1
2952654ebda8fd6ac01f1b1e46051a62cc02b093

SHA256
133e30725f79b4355cc3b65aebb7850a12270f6f877b229204a609d99b5db0fe

SHA512
2f8c7a84ba10b62d9f6ef715cbca38ab8f2788653bf211516730309cba0963a1c15b333f292b5a4c5abbbad15a659b30106ebc3b6aae21b8e1063ce193c185af

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
74e52c811458f1a6f58d7f8f410a93aa

SHA1
0ea7ba672a99cbf0395fefebafd2d4f6e9bda0a1

SHA256
987b910fea160a45f2716dc4eefe7e542e23894636a26c20b54161c46a7af062

SHA512
f8e41d46c808fcaf7a1bda6dff19c46ca00c73b8f904be78e1941d5247e0aa86786f88a4a9daa722cbad964ace5e022c9727b83d9125f37f584277f4366a15f4

Download Submit
C:\Users\Admin\AppData\Roaming\80a8d6b1d590e271.bin

Filesize
12KB

MD5
63eba2daff10aadf5008c0df2d5225f8

SHA1
42ad56d0834a4d2498bc84cb8cf6ca4b464c9fd1

SHA256
521fb5373f678f25c22bc791074849b071bd1ddf5d2ea190b7bf6129853d0934

SHA512
f40866db8cd0b7e3b05ce8158378928a4ab3ec790e614c268f216f4477ee3c03303e316bb7e4e888dfc6f39af06d0e8ee1df5f213f2bce0023a6a0fcd6df5901

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
697b2190468d40143af2f1eefdd0a2a4

SHA1
bed8fe9bd62bbf4f96c91924594ec38e75014ab8

SHA256
7467f650a6495af39f65e843e91ed80a36649531d965f1ce1ff492e9610c92a4

SHA512
f4965f5355c2dfb6ca28bd11b7ec8f8981c846d77a14dacc117eb4a79555e6151236f9afd0911297652390fd486e1d9a46d1eed3f1826492b62019275b00650e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
abf1bf551551edb8c358c01966a724eb

SHA1
2099736654fc426a7b86e0d63cdf9619bafadeca

SHA256
f1fb250981da1586e9c178f5c9a81ee7b752c80fd63245ad5bd4c01883a77a89

SHA512
e021a1b6b48f3908814de0ed35a9ce414bc0362ed71d78383e13f9debfb1c1c56c626cb8c050e6dd253d0e1e5293d10559a38a3a15f7f447de473d4fe5dea9d0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fd13f77814bb9cc3f37af23a550721cb

SHA1
49e9d271b827276dcdcb06c495652d616c810dc4

SHA256
f2c31b34e1d40a6fdae3a2067af914742c4cb1998aeb166edd7a7ea4df94e9f2

SHA512
95836689a3925f39697be9f47d61bb740af5faf2e3cd57a1379b933438486ddb6b04347906dc4cb66c9349132e594befe845553d31bbc7c4c231d447ec139d92

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f29d6ed499fac24ad0cfbd46c816ed9c

SHA1
a103501a1d22d34803dd4af53b1ae6e04e20034b

SHA256
8efabb8514bfef14ed5c68f921b0b0cbb8e2185be8546f3ac92496761e763e92

SHA512
250239544c91f5b1d25e77589d05eaf9851ace917640f85adad61b158aeac98a086a3b84df47837060f2b897a3e55758d58fcc0014b672db397cbbc77b2edecb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
805c304198b374cbab91581f66b2c8fb

SHA1
eba29d347b458cc282b0402c2f097e0d3c1c2a21

SHA256
07833a6681c518d06b127923a141d9c4e2f66c560d4fbbd0b729989a1591f54a

SHA512
9c6ab71b9f8f5a6eef0325605d200688d0041d2fab701ca8a831c54942468d3397b117afe930b20c33e16e5ce4437d742bb43f947a4319f93b3b49034185c054

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a9502da3ef4fac58be4f53b5793d15ef

SHA1
e660c74e52ffa955a0c170a0a9cef92506c1fee3

SHA256
69613ba42f53604baf2ef1c33928e3e5229f231077890ce47efed7eecb58ab6d

SHA512
c08cc975d8c2177581b2ddf1624987258b142acf9c027e4559fa13305660d424b0fbf1979be5fbf129a5c3b7bab488597f5efd7c81e318955596ac1745f20435

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
51d2e6ae298ae51447ff5930ac0bf276

SHA1
bf75d59584de9c556687533a1772af9782fd5ee7

SHA256
584c1bacdc2ef4dd2c772e16e2be3f74d74052c371796be7fd56677463114d8b

SHA512
377055fc5e1ab92d467bbb505f7790ddaa34341b7843ebcddd6593a737e8670719787c9c2efb0ca9749f116c7c46d7ef73a45248b8b9781692eb661ab0e51514

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d610de6554d86d12d5c7b1df92ee28f1

SHA1
8aa28481282ea9ed4e8d094136007c7a1eac2508

SHA256
aad1b3e1582c8beab09b74d7b09ff3d62ff9a2cfc155281d559654daafdf94bd

SHA512
ed49f8e190a8e69566f3339b964e99833dd894a11ecc0576431d88f570db9ad8fe5e8235747e95a2a4ee6820fac6af3e0691c31666c539f9e15ced472786fcef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7e3108506938a66ffbda8e0f2141c93f

SHA1
ba089b1fdf7986d3d7bf4c602eec54aeb27cb4aa

SHA256
410d080b7a51c65095eb5773407c0cc4b1aa07f63488a125534ee05a95c90118

SHA512
35fdd3788f02f8b4910ab90f406cb5ea4b33d36fae40a6323347d2ff2e7890350412ca7d8aaddd040d2590d2e3cd98215952d73a4c960245ea4a6ee72b93a6f6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c3961cf043a14cc7c0bb4a70e23228a3

SHA1
b62fd633608b31adfa9fa291651dc43ceffb877b

SHA256
1aac1302a34a4d82c164e8cc403c404d90ba9bb88672f082ac13ca999782bc07

SHA512
a8bbfdaa761b0bc7d5bf3ee30e7d122162368ef9c1d5312ff92c45956aadc2505baddc434abcee1043c91a5fac68de87dff1e3af8e237240cb28fe172e003703

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3f1a6c885c0a3bc039d110e541d24230

SHA1
5a396453b61118e87d845ccaa989658575ada5c3

SHA256
064d6cc518dec56ebf96451392aa881a72af153987e7bad094a0fb6ff141c252

SHA512
8559b73f5fae6eb884f02772e0db220a624c76483f51e69006a696a33827eb033725a15646720e101590dc2788fdb6a8266fb7e9cdbabd3aa668530d57b0da30

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d0047c28a26e5afc0cbbe701a86f70a0

SHA1
2a2610823dc9bcc5c1e8d4549533f3412d47839f

SHA256
5183b314c728f67db9459ede8a46749a135b330f6b033e00475ec2cc08be0b97

SHA512
9351aa3e65336b89338f275ceec14f1d21e0c987ae7a25083d300d1cb5e2a1cd0757b1c1accd82409e8bf6d500f0a7bc4239ee545b1afda148487f481ebfb00a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a69a0f12e3bccc7a64f0f94f0ceeb658

SHA1
725755f4f520174ffe4160f5de12c8b2584ece58

SHA256
77af488cb9457e87c057cc030a78756ba6619f9655f5b022f594a6622f9adc95

SHA512
44c6ff1f96aabd5dcb7ef552410a254f4514bc7d880bfba3c82f16d1f9f129a03c65d0e7cda8e23899ec911bbddd9fb5528621606f984bde70d245523c47c425

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8bcd51c5b527b6831917d83429ebd951

SHA1
a901ed19cea124ea956ebc4bac982fb4bebe31d4

SHA256
4775d01d18d8a59e387a5b89eb8fe1d8ded0019c8a717a7b673cbd526ed251c6

SHA512
adeb6c20dd026cf501ca70faaa9b5b75222d6852fa2acb088cb608aa549fef0f05cf52a05b07045a96c211e2fa4300cb2967291738ce5bf94f8c9b674890855b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
602f9d21375a2811a92f111636787da2

SHA1
6c0badc2c6cf36392c9dba98aa53a6cb0977d69c

SHA256
98847006c2b892c6c10c00c62b94d0792e670a128b56a901f652896f74ba0c95

SHA512
661ba012ade0e6f6d60c4b09da73410a1baaa85d60bcd62d44a5f07e885dffc70e908864f62766537aaea18c89bcd46a20ef94d0470f49c6ad0a3e2c696daf1b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f7aff4f5327932d89890df2f1dced67d

SHA1
e24f35f912f214e78028f1ca2c78f7e7b26d9c73

SHA256
3167d277eebc773d88e71825cc60b0e1658cbd1f311b54ecb454679ee131badb

SHA512
6ce635cb18a58d6263136ffbff9536c66bf5f911fab8021ff50fe063cd329a3548be779adf7d442e9081bdb61ac52cde1ba5444d72231476e35b0eb65671ee83

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4d6487cfc723353b73ad7d801780fe29

SHA1
a14f1dea20babbbae425a4a93cb5fdc62107bbb5

SHA256
41f85c2b49f4ef8ddeda90aeec51091343af422855fc96cda4e4d2500f8c5b91

SHA512
fda3f8c3cb253e83684164a7f47e8740c56869f7edecf01b75c6283c6297b6b80e1955d10956226050e006a568c8a306390a0649d0bb4e217b468780ba625ac4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bcb8fe8ae762911e0e8551348cdd84ca

SHA1
17e6834c5021f50c088eb62c78684e3771e93f03

SHA256
cb28235ce8418736ef544572628619a4ff6c8aa6b0b9eb4b1d6abe575e5fff8f

SHA512
1423da1df826d6d7b56f2c62093f60bf296aa04d2be842f6f7f91bfb4fbc3392b7b2757411c9f6a5b92d434fe9a1c07f7aa2e2855328ba24bde224584bf79040

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
memory/536-128-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/536-290-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/540-183-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/540-31-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/540-40-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/540-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/756-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/756-11-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/756-17-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/756-179-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/840-127-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1032-236-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1032-545-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1160-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1616-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1616-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1616-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1616-26-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1616-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1656-207-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1656-53-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1656-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1656-45-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1656-52-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1664-313-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1664-154-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1928-180-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2176-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2176-734-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2204-208-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2204-508-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2720-730-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2720-322-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2816-248-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2816-557-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3080-325-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3080-733-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3408-144-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3416-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3416-522-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-720-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3656-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4028-69-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4028-195-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4028-68-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4028-75-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4364-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4364-683-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4576-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4632-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4632-78-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4632-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4632-58-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4632-64-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4760-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4760-94-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/5088-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5088-184-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5088-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5136-546-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5136-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-736-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-520-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6092-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6092-735-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download