14a9fbc45afd61f9a851cb86556b234284acf7e655ce0a5a0771a94d8bc94f32

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
Size

5.5MB
MD5

d24b0340804294489154ec41dc23b29d
SHA1

4a13e5ed5c3672bafc95c94b5512d526ce4d737c
SHA256

14a9fbc45afd61f9a851cb86556b234284acf7e655ce0a5a0771a94d8bc94f32
SHA512

d9ead4f380194f177f256ac989d5fd7c625c57fd974c8839b3ec898cc65b8554a27e74e7df37ea890eb7952285cd7e70d8c590081af27e84b528965f5edc5c9c
SSDEEP

98304:ZAI5pAdVJn9tbnR1VgBVmGYjQHiqPtXBeIM:ZAsCh7XYxYjVqPdBeI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2828	alg.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
3696	fxssvc.exe
4620	elevation_service.exe
1892	elevation_service.exe
2944	maintenanceservice.exe
4308	msdtc.exe
2620	OSE.EXE
1332	PerceptionSimulationService.exe
1180	perfhost.exe
4388	locator.exe
3580	SensorDataService.exe
4572	snmptrap.exe
4348	spectrum.exe
2412	ssh-agent.exe
4456	TieringEngineService.exe
4940	AgentService.exe
2432	vds.exe
1428	vssvc.exe
2988	wbengine.exe
3096	WmiApSrv.exe
2400	SearchIndexer.exe
5756	chrmstp.exe
5940	chrmstp.exe
6040	chrmstp.exe
6112	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exechrome.exemsdtc.exealg.exe2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c8549f27489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exechrmstp.exechrmstp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a386fe29699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aee1d1e19699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051a217e39699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073f6c5e19699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e68c00e29699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e31c1e19699da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4988 chrome.exe
4988 chrome.exe
3400 chrome.exe
3400 chrome.exe
3400 chrome.exe
3400 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4988 chrome.exe
4988 chrome.exe
4988 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
4988	chrome.exe
4988	chrome.exe
3400	chrome.exe
3400	chrome.exe
3400	chrome.exe
3400	chrome.exe

pid	process
656
656

pid	process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2952	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
Token: SeTakeOwnershipPrivilege	4856	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
Token: SeAuditPrivilege	3696	fxssvc.exe
Token: SeRestorePrivilege	4456	TieringEngineService.exe
Token: SeManageVolumePrivilege	4456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4940	AgentService.exe
Token: SeBackupPrivilege	1428	vssvc.exe
Token: SeRestorePrivilege	1428	vssvc.exe
Token: SeAuditPrivilege	1428	vssvc.exe
Token: SeBackupPrivilege	2988	wbengine.exe
Token: SeRestorePrivilege	2988	wbengine.exe
Token: SeSecurityPrivilege	2988	wbengine.exe
Token: 33	2400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4988 chrome.exe
4988 chrome.exe
4988 chrome.exe
6040 chrmstp.exe

pid	process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
6040	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exechrome.exe

description	pid	process	target process
PID 2952 wrote to memory of 4856	2952	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
PID 2952 wrote to memory of 4856	2952	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
PID 2952 wrote to memory of 4988	2952	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe	chrome.exe
PID 2952 wrote to memory of 4988	2952	2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe	chrome.exe
PID 4988 wrote to memory of 376	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 376	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4672	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4284	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 4284	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe
PID 4988 wrote to memory of 1312	4988	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-28_d24b0340804294489154ec41dc23b29d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed2f1cc40,0x7ffed2f1cc4c,0x7ffed2f1cc58
    3⤵
    PID:376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2588 /prefetch:8
    3⤵
    PID:1312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3840,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:5672
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5756
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2cc,0x2dc,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5940
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6040
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:6112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3680,i,2476855928061703150,8226469969662299883,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4920 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9cd69506b1a259519c9726b01d16f2cb

SHA1
bfd7dedc10d0ac8a7b50004d730e85c97e5930e7

SHA256
8f2bd64f5e2807a3da1880a8ea65e04e601f52171e6673a48bcd84c68328c380

SHA512
6a9ea2c50b68c3c7a8e2bc1ed6b56ee78f80d8c82b886dc2d2a5bee0088ebcc52322e50e21b4c225dd12394eb5a558232660aa06a26b2a2fa9163aa00761a05f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
ac71cbaf57c7f9381de775741aa466f7

SHA1
c49f9d28915718369ad2d8e30b1222585f71eea5

SHA256
e029c78f3a213ed30fa461a25430a15a7fab645b2a0ce10a47b8dd9638161bfd

SHA512
b938187cfe0aab1120b1e250896688a03ef21849cdc48aea9da565a6ac9baaf9d2f241fc6d4301322a21cb021b0c87e01944bd3876ef33f9de158af035c79542

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9c3e1e5018bffbd330e63b945b15c774

SHA1
aa520235f772761f58c0090168dce6727049c2ed

SHA256
08161db5d5a01198565fdbc84db74466fcc48a6522f83d00b14b53d85518697c

SHA512
8a6189b089bc2acb6deba3d5a07e40c6312efe61736871b3f1479e722ec56caa226518219d5f7848b29a44841e649e6543528b247985f0bc72f750efc12bb126

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
74c31fb6934147ddd387f9a82d49fe3d

SHA1
b22c50711746717835fc1713af24c7e8adbbb410

SHA256
f80d5689779ffc2af136264cf7e0c92dfa372bd0cb418c7abf2f793adef2f765

SHA512
635598710783eedf5a087a19adc1c6464ccd00ee68ddaf440b6462737a2450f900fcbaeadbfc0b4668125703dc7d867e4ac5974196554bc6139a13e91ce36f96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
620c2ef10ce58acce103dcb13eaad41c

SHA1
4c8871e9101cb8fe4d2de553b9ba5c1921a00fba

SHA256
111111c8e17770fcbbe7c319e541a41db3f414cabf57a4f40a53328d701aced9

SHA512
6380d37b0a553d641237458858ccea84944578522ac03e7ae6582eff53a9acd98bd289134034b8a49ec9b292909aa124bd39981afeba06bd2f258e88bba52e39

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\95076544-37f6-4623-a44e-15de4df96d7f.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9004bc1bee001b93b08953886e8a52c6

SHA1
a6c7f275723d0e9e0bb11c3704581586cbd2d2b8

SHA256
6216545a3b3656fe635fe88765c329250fc5d8a654866fc7d3114611397eeb96

SHA512
e72957b68b3d20ba0293192d7ff2a89fc904eb6fc1df2b22167d46142dca362c15080d626c6f7b71e29447c6b2a980ece13ee3b12bf08da36d708c7f67cda1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e4339e087eeb9e797393bc3373a6fa92

SHA1
b6c003e4dd9dfd7325549abc7b2d609a5ee048aa

SHA256
ccb08e214461478d03e7471a687b9a0aae025fbbd5bcbde25c9c567436aefe34

SHA512
4f7d992cd943e059baaa07126007c465a3f1938089358ebbbbdba47d082ce2bf07d632c24b6bd2733fc05d99c4f70808d68051ddc377ff26a758df64b95cba8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8b4f9f1da98adb4b29a3e7a28154a52a

SHA1
47fcd0c934187b2a8e6d95512463517227970a2d

SHA256
33d689de293b3289765b2edb7d4afe9dae993f97771b0b089ecea3802914d513

SHA512
31a3709ecbf1bdb602ffb16abf6766360974c5ea2bf11756464f5319aba91552e1b4d6de5f50561576cc4c39fb1f3913e60ec5332df1538bd84ea1210780b048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3c0ffd21e51f4fdbf28bfa15192e2df0

SHA1
a91b0ddd7f9a72a5eca3b528613a5b75e7210ea0

SHA256
02015fc918780c43ce30da4dcb637b1823ca6e6142e2b0e65217d8afb7ed464c

SHA512
96667083df7a4b66b3622e6717851671c89fbd6728d134bc6852291a1f60007fe19c1c383b2870d16cffef6230d64c5062115a130df2b3bb5ffcb0c6453f7231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6c602d4311ff90d9bdf1000db3a263ce

SHA1
13e7a56e7703c47a3670235116669187806e6538

SHA256
163e15c2a280f850b98e677ed6da4c0edd6fa37a09fb7c9f23467f06253eab19

SHA512
c4a352f829b6d27b0dbccb4506877bd10fa70b35f1e189bdf5df8febd516b7add8074cf9e83269d0b36c4901d6edd59ff534dc99e17da3d1d911ea6891e0a582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3401ce2e8d8b74a611f2250174d607f9

SHA1
bec5909aedd526833685f568c911460a26b9a89e

SHA256
1b4c02aea3b41e710283e13e8acf59ddb738a913f5eec75449f52c2cd31e995e

SHA512
e98013f33a028238ca16b144ac025c028ddcb94dc29e7900fd2694477efe9caa573a0433a25d8bdb7ca9d45ba371bc81effcfe62aed23aa48d9f4afec74b417b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
623c8f10fe1de3404a9b4b775d5af43a

SHA1
42af08ef068d2e18adffc9b24d1314985b696bcc

SHA256
b453d652c526d81d95319bb53b2d8aade7315c29f51b287005f62e3f5282f0b2

SHA512
45e47be85cb040a7dd103d8b877e66bdeb512f98aba2290f6aea1f353c03438c27eee1f2c98c351158a0e4ab2f55155b180bab14dcd17cf3dcb6ee5326ed274d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
42493189562fa8043f4ba484666dab13

SHA1
12d21e747ea902617737fe5236a02e0e97296a56

SHA256
a16fb2a22f4d431d0cb8f28b7bad219478e6cf5132353a3478d8fd4a945c751e

SHA512
466a703e63c07700891e5fb60611968bb260e72e55c7894e9a473356e24cf265ce761005df067844815c78601f54d46061ddaad4d574a53eba986a15d175d5ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b707c64648f011e4b4b0fc52336517be

SHA1
31043483adf4a9005ca1342da7b6cdcdeec091da

SHA256
ff8ca1ce1ca9e3e40ce60bdd7995dc33df42aef64835bf24a3ed717a703df375

SHA512
a2408201882a04b497bf072f0f8baa0e9b2f8fee430de4518e36da49c46559f0e2c0c8bf24f2d367d83f5265b94e900e6ff0e9c62af64b1c46db1fb22b3673eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
36e69f95a078172f84f557ed42ebb924

SHA1
298088d4a7020e134f253673cbe0ea944bfdf0c8

SHA256
2ac180499d84b42d30961fe157b46b9565c7c066342db31204fffb8bd63fb28f

SHA512
658c39e8f38ed922c104a748b81fdcb45d01ca26c4b8fbb033734bda5d8af3a44bc131a7d1e7f8a9b12a6e6e5c5199aafdeaa0f87970d4fdc9eba3591993944a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577a8f.TMP

Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
b566726cb024f344b61fdf8112f2b9cf

SHA1
a541c3559baf8d86cab284acd0723b99973b33f4

SHA256
6e48bb24c72f5b407360d45d95d39dec7279d1649e7b51feb8009feff5f2cfd9

SHA512
672f236d9f4f4a2af0e072183607d5982e1eacc4f7172af237447517947eebefda103ea58494eda470ee5427d7643844e8b2c9d720bf275cb5493df6ad592b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
508491e4a37776db0e51b4f4113add34

SHA1
b1519d1da73b3d0fd1b300918a6f979d2ac42f39

SHA256
993954a8d6f25197d22d5db9dca11023d1795a75764f44a3ea5d1b63456ea9e3

SHA512
20504dcbcd81749fd2006687d8dd805a43500edb0af9d90dfca04d8df6d7b4da6020867978ee62e106c404dd973c6c7fce6df1f44cd551251d9587fe872614ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
39d2704310340b81897d2e005a8aae3b

SHA1
d96be77583b44b30093c650f6ea52fccdc6a3fda

SHA256
6c71350cd382d78d2f3035e8f24013f6f3ddc0ba086897e55c31d00c883d0954

SHA512
f9f28e9d8003a532a998df52e191b2d373145567f32b998a7404d056d11fa58f80e4f13b8d04cd1c64b8b2a18acb381161c0d39a13ce5b3eecb6298d725234bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
0b8972187b5c1b7bfe752fc46a035d29

SHA1
c47add2faeb422b33425a250109894b8a0962ec9

SHA256
c794b7e4d876bcd6783da8af065b754fa1388aa9ee13c065ed0091ca51234b49

SHA512
2ff7b88a6e6abb8f8e037027e64f1e6c179a1961c0bb6091ceca99798c456e96a0ce7e94405298454d2f35ae4a98b3ccf7663b6963a8fb15d759b01715341778

Download Submit
C:\Users\Admin\AppData\Roaming\4c8549f27489627c.bin

Filesize
12KB

MD5
1e7ca73ab50c3d4df2d5b76eca7ecaf6

SHA1
4ec2005ab0a002640f9395837d37af657ea4018a

SHA256
32de5cf066980fb18d0c5038010fc74e5ac2a1977aa9dbd04dee1c627d4bca6c

SHA512
9253a05420c6877773c0f34110d3d86cb4ff458b8755796ef332d2030f1914268d2b6d258f1e410244e2f309f165fbe602f556f3c1069dbc2ec514d9045e3dd5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2ec15ac0970052eb9ba815c6a52a3a59

SHA1
4bd81d2d1a669133f242ff495a831e619172bea4

SHA256
d8f009b47a787f1c32cebf2530b0acc06807660a5b576698224621ff6466fdbb

SHA512
60344ede287f926caf534fbebe0bebd05c210e11d29ea5e19ed5818c3fae0607f50c2d59a6c9d9ec8d424b02c974de18182ae151d644d9bff5396e45de6dce0e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
260ea63f41e3b9727ec65eb9fd3b9388

SHA1
e6b3c31e95d372a392d2c6acfa53f77bc5e23148

SHA256
79825179ecbe94bc3fdc23d74a77ab4ac40de040b1b643252d678983a1f80492

SHA512
03f988d490b87b8831fa2c20b9fba45a4c8597e322e82a71912155e76437c592943d821d0447f0258c1bea89fce5f05f0684428732d8ce73318ab2a574ad88ff

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6dc52fb065cc0ca5181a12fe1deb653d

SHA1
7976f5aed4b5e9c5e66e60a467adf6d0abb49bdf

SHA256
4dae3aa7f2abaa9e382145b99b071a068bcc3ef0cc2e79acd3f6b4f7fe823915

SHA512
f3357593a62e136236e795873d3889d140be4eaac9a42d8d161e7a31b1a9aac91a4a3401ec15f66092c470cc270b14837eaafa1191edee64ac44d1ef74433225

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a2d8602a550d8d1fa763135de34ca699

SHA1
8d059b76bf0829ee793b89006f4fa66f7dfacc5e

SHA256
99bb334b9b1766eedaeb5dc7a3b817d56c622fcadfde77c763bdc0d4e4753746

SHA512
86f9998725212dc3be675b1230dfd0618c5c5ab90815b0bed414d8c3a890d161e9affafef1caf315a781bc0e7f3e7a82354cd567cd45df827d32f778fbb748cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
099edc846679956f207d8afc8f505f33

SHA1
4455d6c8030377cf449df9899368ea798180f872

SHA256
4501662271634eb3dba233c1c19387e20e55bae86444b7f6249c9c34900d6702

SHA512
5157f1595c639e451e5c28c9d6fb8e47f4a43498f42a2795125fe5245d8fe209e773ff32d9657a9a7f1ad79f491106b540abbbbe03562109593123b852895fd8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a3a486ffcdffd0617cb517ae5b3345a7

SHA1
3d6cf23672cfa38b5f9be1711cced58f1a79fbec

SHA256
017fd56abbc0d1088d2f311f7b4b1a56970897afdf2ae885e22e4b4e70185298

SHA512
08268af414f60524be92049379808f7684462268f8a20e9a3e0838cd9ecbaeb02617e26f938edf19cb7a53fc94b6bf7a05b2c7de61322246d93628238791f5cb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e4393dc253faac978611a9bacb37ff1d

SHA1
953c24a5a998f7495ddb90e275d715942ec7f78d

SHA256
93621abddd11e485aea426526bb92dc3516d79d8317d1278784b0b3276827816

SHA512
8d6760819e911fff55b03dbd7d9159024bd2dc0d1d28584d07acdd25855a83d0f55875acf1b93ca9e3523030a3cd14d4dadce6f29197937cfc331e48247bb814

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
78029a3aa0720499640bd6bae16d04a6

SHA1
90f8ee89ed86d8e64e4f30adc1ca211e38cd61b7

SHA256
59b2c299a031585fc228bd30c101f09078b6b5d4ce97dbe66b953d6fb3d5b224

SHA512
5199ccbaa7617ac08df6202bc1ae2977e3a8a109d41287a9c567755b4d390f81b220ef7ab6753fb3a051505c431ab4c612f61685f04976bbc7e0810c10e563fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5d2cb59fd9946e9ee0c0931594b91b9e

SHA1
36259a294a387547e9d8dada52a66554eebb972c

SHA256
8f824f432036858285b91f87363683559a49f8df02d50a8247ce4f3ab24540fc

SHA512
b041d8130e2957009c6c5a634a9cde7ea8dee77a6fdc04014d83f0afb18ae3a5c8ffbad212b34fb469568e034fdb0c23d1726e4f910354a2edf2605c3f26f82e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
18d0703bfd8c3f272cff130f3d3a68c9

SHA1
8b6ca629881557a6f5ba20972a8d1cdeb55d4eaf

SHA256
9425130516d25cb0d675522a65c3f75a8f8014d5927cf1dfdc6b1909bc6faeaf

SHA512
dbad0f3501c6fd92bd7f9e5fff466313742fcf65eccdc630822791e6b014d7cc01a072023bf83ebe87b7f51787ffd9ba378507ebd413ccb4aba9f593275c1b2b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
163bcea82edf43f70d0fc1f5a14b4e27

SHA1
48979dc0152b2f5a7b679e4cad365553d1532125

SHA256
1d0b922a53570a84917381cd96ae6b62ffa6ba605e2693142c5811ce1c3cdc32

SHA512
ffd947fe369287e199dff815c27c9bd17f9e8562e01a1067f27e96aebd49b185faa8c5ef3c17cdb9bc0de21ae6726aaa5481afbf1543fe5a75a5424596e7cc47

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1e1798d93b6ca76530d05c450cc085bf

SHA1
8831a3ea3133c402957fa8a05096a60754fd51fc

SHA256
19418266c772b95855186c3e34b12496a06e67f9909fa500d6fd57180ca810c4

SHA512
1d0105f83ebff30ff410802ee1baf7d6e98d1bfdb33ff39eb1ade5e7799af5ad74fca7118d8a9caed37bdda0b002a9beac3de2c996ec1623c63b60c48c820d00

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5d68de09a66c892644b50006fda31ad6

SHA1
5695415619045f8b463f9a0952dea867675f9233

SHA256
74cab9fc589c8b1c57d3ef8722c6be664153ac224c8d41967348aaf7fc50726d

SHA512
827a5b9b3efe737d3050dbc10f464b0a49215c7c617c41202c5711c2e9936676fe85bc05dbb2bfe0d80aaa30fc003e9ed393ccdf2749b44a61eaee55035c1918

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
52394b0370163a1d3c03b8198e87f452

SHA1
16b6a0abfce7b8bb11f4ee5aa7fea66fd460d026

SHA256
4553ab1910b2379a01636910c1c1f139312529359715e100f410be6c3e54082b

SHA512
1230b8a86dd7923cffa635700c5c03d0920a3e3a67e2dff459e8e13bbf98fe621c1035fca075a634166e594d5831bc82b4c99cb7b4f8fb6e3c02d4df132a6a18

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a14dfe14673070deed61c1dc1207cd23

SHA1
88f6e3d08827646dca681d8b3fc9486d5e9f4454

SHA256
01373d69e5d5224e90645344a39435e113945b2c30b08b0e37f67ca41e6ef1c3

SHA512
5d7a00c276cf6cf16d1c89fcfa1eef6679c24ec3b909b90656ccf211ef0d02e3fe45d73d32dbf45d3f0b810dc3ba2f722f16b54d9758ee24cc63a0d5797f2da1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
edf26af70d648842acf86abef36a3e0c

SHA1
031bda477019f768335a05501995561d05e07494

SHA256
88880eae3e284c2dd43f547931380a35b4e9c831922d7b8782387274c96f6a0a

SHA512
addee64da9b9deec8095a7b8797dd5b94e88ee7cca0f1bf885d13b0b3b55f5c3a6b11063e4e6e6e10f19ebe5276c0eb035632693086f4c75e7d1673d5fb0a065

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
265c35a3caa643211566f36e7feace3f

SHA1
3e0fcb0396a8e32525121aefdd4e91dadf401bff

SHA256
c719275129ec9ce809c2f2b5f6efbe4cd8edeccbbc929bd68c43472647fea854

SHA512
a13bfc6b55cc64a7472e9768bef2db270dd45ddb4df36709e38332ae6572204817b424fb20eb69d3412b6895b554dab2b74871ab46e7b7a2f03b7f027e6beb5c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4193dc96ed8883dd4cbe719c02452b7f

SHA1
8b260cf2c16a0ada491d6acb7dccfaac8a1851ef

SHA256
1bcd063bf564a33f372bc5c371c6f5f5939ae0ac405a04a3079e031eb949f3d9

SHA512
c1675f0508a4793b73d9851731ab81a35c035628c285e3c8073313023b7e85de97163d20699a5b38635e384dd5e34a7eda1620cf32b316df1866f1665d5c1cd9

Download Submit
\??\pipe\crashpad_4988_AOQBNQGWJJONUFCI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1020-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1020-374-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1020-47-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1180-390-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1332-389-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1428-411-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1892-379-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1892-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1892-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1892-656-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2400-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2400-429-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2412-400-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2432-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2620-388-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2828-373-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2828-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2828-29-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2944-96-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-84-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2952-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2952-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2952-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2952-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2952-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2988-419-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3096-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3580-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3580-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3696-51-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3696-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3696-57-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3696-60-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/4308-386-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4348-396-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4388-391-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4456-407-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4572-393-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4620-63-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4620-486-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4620-384-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4620-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4856-18-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4856-655-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4856-12-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4940-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5756-609-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5756-525-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5940-658-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5940-546-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6040-598-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6040-553-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6112-668-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6112-570-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download