45c453b8087857477c1c34f3d0ff59ffc50c373c617b3687ea800a2a09db4801

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
Size

5.5MB
MD5

9a9c969dc29e9169cfaffa88566083cc
SHA1

0ba65d3bc3b734b9b103f6e49b71353a7562e960
SHA256

45c453b8087857477c1c34f3d0ff59ffc50c373c617b3687ea800a2a09db4801
SHA512

cfd3bbacfc51382f9825dd4a676cf6e9ed67ece4819b09e67939f508d2bdc0a1db17f0d6222c71cdc21fcb02c2607c898832db04aa1a04a61a3a3b3cccce0b1c
SSDEEP

49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfr:sAI5pAdVJn9tbnR1VgBVmgUtRM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4920	alg.exe
2336	DiagnosticsHub.StandardCollector.Service.exe
2388	fxssvc.exe
4900	elevation_service.exe
4768	elevation_service.exe
4124	maintenanceservice.exe
4736	msdtc.exe
1704	OSE.EXE
3532	PerceptionSimulationService.exe
1052	perfhost.exe
1420	locator.exe
3260	SensorDataService.exe
664	snmptrap.exe
4056	spectrum.exe
4960	ssh-agent.exe
4060	TieringEngineService.exe
2076	AgentService.exe
956	vds.exe
3992	vssvc.exe
3832	wbengine.exe
3564	WmiApSrv.exe
552	SearchIndexer.exe
6048	chrmstp.exe
6116	chrmstp.exe
5300	chrmstp.exe
5428	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exechrome.exe2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\73716c1eaa61dacc.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exechrmstp.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\java.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exe2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebc8115f9f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f859e45e9f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc48b25e9f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012e7af5e9f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006ba7a5d9f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030bfa85e9f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de96c05e9f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1852 chrome.exe
1852 chrome.exe
5788 chrome.exe
5788 chrome.exe
5788 chrome.exe
5788 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1852 chrome.exe
1852 chrome.exe
1852 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1852	chrome.exe
1852	chrome.exe
5788	chrome.exe
5788	chrome.exe
5788	chrome.exe
5788	chrome.exe

pid	process
656
656

pid	process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3048	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
Token: SeTakeOwnershipPrivilege	3000	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
Token: SeAuditPrivilege	2388	fxssvc.exe
Token: SeRestorePrivilege	4060	TieringEngineService.exe
Token: SeManageVolumePrivilege	4060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2076	AgentService.exe
Token: SeBackupPrivilege	3992	vssvc.exe
Token: SeRestorePrivilege	3992	vssvc.exe
Token: SeAuditPrivilege	3992	vssvc.exe
Token: SeBackupPrivilege	3832	wbengine.exe
Token: SeRestorePrivilege	3832	wbengine.exe
Token: SeSecurityPrivilege	3832	wbengine.exe
Token: 33	552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1852 chrome.exe
1852 chrome.exe
1852 chrome.exe
5300 chrmstp.exe

pid	process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
5300	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exechrome.exe

description	pid	process	target process
PID 3048 wrote to memory of 3000	3048	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
PID 3048 wrote to memory of 3000	3048	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
PID 3048 wrote to memory of 1852	3048	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe	chrome.exe
PID 3048 wrote to memory of 1852	3048	2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe	chrome.exe
PID 1852 wrote to memory of 2964	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2964	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3160	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3636	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 3636	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe
PID 1852 wrote to memory of 2020	1852	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-28_9a9c969dc29e9169cfaffa88566083cc_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffbda9cc40,0x7fffbda9cc4c,0x7fffbda9cc58
    3⤵
    PID:2964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:3636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2416 /prefetch:8
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:1220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4588 /prefetch:1
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:5952
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6048
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x2d8,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:6116
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5300
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5044,i,6039886545489744549,5218926238837635487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5116 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
54b8773ed4a74ea790880e5b9a816f28

SHA1
317c610bc12f5a793229963d3994183089669415

SHA256
64e5216ab8609241bbf354426765bf68419868b46bbceba2fffedd87afcc5a29

SHA512
96459433eb834cd83444d7c3d53f2885424c209cb6aa231d3ecd4f30fb7376d3665b0c37d67e66baec581afa9a314bc13ef28fe9be188bb2d55ff176230adbf2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
05d09447d4b05840e1bc4ca3f46c41e7

SHA1
f13bcfdc8bdc01d70fc541f8adcc8d3268d1f91c

SHA256
96ac2182c5d680cd9fbe00ba904ad3774a7235ebfeba919463f0c4b1bd920271

SHA512
59a702e51230eba1b10803b6efbb9eeb55149f6fe65944b6a47ccc2087bbefa156ed7189cb55e5b86eef976eb3e83c53c51df22d933373b423be7892422aa62a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
314712d09f348872b42d7939cb0ab803

SHA1
9daece0b2862beb02c5e492af78ba1e242590c4d

SHA256
d3c5a5a4228290ffb3e8e0f4dab4f062b9d5f7a4ea7ce0d819011e100ed6d642

SHA512
a338f8206b0f8e2189f16c8118c8beb0a6d11a4c9bda56af380e832f4fdb2b7ab9e5a775788fbbadc5697318dc92ec6e58bbd7fd46e4555c9450e86a97d217eb

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
7404d467b2fb89e4e84776aa412bad2c

SHA1
fb32e21aeea74145df18cfc71af67b4e99c7df19

SHA256
8786c85561e8a3742609386f8eafbc94aece005a0873ee05af5912711f67864a

SHA512
22da866486d4f764bbac8b4ce8314220b58fd5c3d77c71d260e90f6d96050e330d2fbcbfc607e61ead472e8fe4e1305f769406ffd57d4d202e085e2af97ba51c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
bc5234782e02bd840087b92cfa1e1fea

SHA1
cbeff146a0af5f20c79baf2577f60af116ea6ec5

SHA256
6af7d2003a841db57cfebdb1c28dc1d51712d1d4bc48f15cd33d661ec293aa09

SHA512
c235536364ef6b110378aa2def11ae5cd0b54fb4a93d6e1b12df128b9f2c37da339c5a3dc1a1fd28cdd85f36157c428a89810ae8ca7dc238d6240592f7f89ad9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
907e963e032479e2f3797d158ac72a8f

SHA1
2eb8c1f990f56f1269c43b33c7032cdc830459f1

SHA256
24f0de3fa4d769cb74320cb52f11503445babd28bd4e639af885e63bbcdbacd9

SHA512
8e4002b679a17011aa7aa7d139dd13908b4d365c4349e409afc1da3493dc9254900fa67d9372901a402b74532bda77fd6409f2489a4f16559e275b71976e0f03

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\138d8735-b270-45fc-afd0-fad880a65775.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
84de0a91a6815867b0c57141c9b5f93e

SHA1
0b8e3909000cdc324863f4a7b0de705771696629

SHA256
7625d1d37e6fa04d1f0076633d869a8cfa8b1e3df21ee2c90759d95d8366f220

SHA512
fb2bf96eae1956673fc43bb58da998469827b91d54ea2ba48ae29348fd3f43cde3bce6e1436146b56c3e03868941b4dd576246e41670c53675e6c9fcfa781677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0c4e4504a605d3dd776bc4b1ab7ec5e9

SHA1
27c22e4893369665f966c867934f1647f5d8ed89

SHA256
c300d996c8d57a75bf6c9a0d8e0b42d7cb65d2b977fd72e3ef489bf42d22983b

SHA512
2a3184c9dfc3c2d2a7cfe0d78fe316a821976942ae605a7f080ff3d856c3565f6fa731c35c836075bf957129b050f06dd4dd80b648271d0eadc5845411f004aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8eef11429dd2e24cd49b326804bfcaac

SHA1
d283a64315477236d330b92ddcc68ef45baca83f

SHA256
89a164fe11842d067346a64f8bd285422f32da53b5a06f9570fe84bea5a2d6ab

SHA512
abe789dc2475ae8aad81e2abc1458183f8862106cec9b2d9ea8c2b7599f1db22bfd9ade9e7560f6fdb8c5270af50e50bbc6453d01c8f745642f26bad55c9220c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
adb4b614cb791bae92b8e06dd724e0b0

SHA1
68c00022de86270be499a894826d91661aa708b2

SHA256
cc946a8e2d0860b0cdfdeafa9bd230c0b1fe4bbadda6d9419ba59926a2f2897b

SHA512
1b55c502b395e258e0f5877b9c85bf7395a7c549b6e5f801ec675b4f2a9104fd19e84312159f466c68c7d90d74ef6ff9049504181c7755ddbad7ce21a86a7f28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9225ca79e7c7ed0fb6eeb9aca340026a

SHA1
037cec9809f2d30197f3652b541a2f2a65bdc22f

SHA256
7c9e91867988b330850343a669bddb22093fce8450ce86606c41895037e0690f

SHA512
e279dd3757213aec93cf35615fc4def9f4d413cf94b3e916c960f227ead812044f5c0d92e737fdcb47d0d594e5d58b2500e077bdf5bae74b5495033bd07987be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d09a73867b472a462140dee20a32abd5

SHA1
a0a10a3c2aa38be1d2f10282f659ea1f101553a4

SHA256
5364a9617d0ed3fed51441d8e4c6f45ed8626ad7a3db216715deea101b70ae64

SHA512
3d8d2b0b3ed075b0a9cf269a91fc8198ce05647bc3f038b0d124a98d855e732ae2942e6e1380f586d7462cc32f4042d0f9bc19d26ef0f921e6248eceb5b39290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8c57d05aeeb28698c8480fdec9650321

SHA1
87567649e20b1bafac686740a8e977bcfb319af1

SHA256
c148d2dd6c228ef4994c9d275a2147ff5ce0ad1f14cabd5f69568fd48d5e952e

SHA512
4818bf7bb359cfda6bef616b0c0f7e1536737ffbcbbbfe1416c5a7630ef80853c0986450c50f27cb838bc61ac05389d00f222dd66d158303b9cf64a9f7dad2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
64a39eec233bb39c7385844259d9282e

SHA1
f5060982ac718e32bc83028f4aee5156ecb3b5bc

SHA256
cc76395b0adac9568178d552eee4608858bc8478c3568b99418a6cac8f8618b8

SHA512
b306e7beb5febf0730871ef22ec812bb4e48c3355a7ae4ccebbc2aaec7deccd13aafbe5030083dfec50e3c4dee8f6445fa294fe2ef8d33c30da25254ffd673dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0a7eed987b6ab551cd2549244b7a5e53

SHA1
50a7506a0226c96ffef93fba965e578ca262c022

SHA256
f363e8629330984cc3b5230181c6521eba8a4ed5d441ecfbe6868e0e12322cc6

SHA512
3a794fcab1303b690edb9f8779c12707f3752ef73affbc678a1e44cb71f629a662b16ab28dfa761991044ab86d475f86c321eca18cdd9bddf66263c0cdae3ba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4b2058e081917dd18f8c61bae5b6548a

SHA1
7b1da5d8558b23f3a3280b2bdc1cf1060e0f11a2

SHA256
ce69baf20f70e5de52c2acbc341a294370f1e059dd24ecec76c04d452be74cc4

SHA512
6e70f968727252fa78356b63393652f51427b8653d6d622c137a9422e515db39c12f0c2ab40f11c32494f01a5f9c22ce3405883aa1ab13eed057df4ec267c57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ac0f8a976c08433c734d55a639592e30

SHA1
5df0990f4f5676eef38570be6ce2c4b58c14fadb

SHA256
bc12fd0f9e09857b383ce50dd8d43890c74a1b56d6ec2b71e9d4fa1bb070f91b

SHA512
6bf8e6a55dd161b59072d9bf0d0a41499afc8382939871695d2e739ec90f9a6942813c1be75a261f660be03e592eda1bdd46a6f3b95cce0ae2c002d5a3f8cbd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a98d5d25973183e967c20f3608d33e0f

SHA1
cfb656940733717d59ca9f4dfb98a186085184e4

SHA256
fc13edd8afb8d2c2b5634d615cb39f13c079be4f1ce29800c98c79dfb2090229

SHA512
017007db1f141fa6b0150b6be622ecfc1e882f31007dd73329a9a9a36a1b00750468f84da7bc10d360400073ba9c0eb2b707711e89c3a32c7650e3e76cd83dfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576726.TMP

Filesize
1KB

MD5
54394ba89cb7d1ccae61e1a72e930d91

SHA1
7b2c679c8076573cfacc024692c3dddc1f551c8c

SHA256
a470b0ef5b4a484126b7e7fce3c3485e80f580a99ff4f57f04770059949368e7

SHA512
2428291f125894b426348df6a0f3756fd26c7786ea2aff03d89aaae77d409f09a5b8512bf06633a70f28fbf86793ed26c6ac3b67cc411b907e49cd3d344e8cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
725081de820532e3ce7b67d9c44c8e88

SHA1
c029d042fe7641b95d493ef10b0b849f67e739ea

SHA256
691c447f2d528bef8f83288341bb79b183d528dd37e6c48463a996976245ba97

SHA512
d500b6cc07dcbeb6e572ace5ea809017a0793be45bd634ba4c75bc386ead5eac386a7eee94f387919b9c83ffb68cf343c2656d9a668f780bb56164fdb66959aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
1c3083c85dbd90771c333618a1ab66b7

SHA1
a3cf9aa2ef5653f6b1134bfbe488d0271d66adf1

SHA256
3543b09d037b8983e02b379e454c6c1e7ce4f4a761db4e47318ad50ec0d24806

SHA512
5b17bb72cd2890a00ebe87214498e981eb832693c9ce28d63d7c809e64d790b8be83b90cf18edb3534fd75b5c69cbef1acdef9174622de0cb115df063bd40a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b4b889539adb144ef0cf029eb4c3fdcb

SHA1
ed5ba6d3b04aee396eeb10389b0f4bcdf86c3a05

SHA256
f70a4a0545470d7890f4ce420bbb621203a694b4bfa562b6e8dfe3756abcd0dc

SHA512
c87b3b38f4fe069336edaea7246321efc1643ce8f7a06d12f06bce6c4101c0121ce5348750ff1aaf9f375512e589b921952c6648a0204352a6a41bb23a4fe155

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
333a04759e10528836967e3125a35a62

SHA1
e2ab36fff75396a1ae67411bf4f6b2c4b4a8a49e

SHA256
ba7b651e4021efea6b08e9560999ce3a279e8de8598e921517a0bca555e96c4b

SHA512
8c06596cdd7963167515a7ff7fa1773b078c7303695d287bdd9b6411aa66a06e20bb06bf70f29efb6e114befbd263eb90aa46aa77be900ad5286bbbda8b50628

Download Submit
C:\Users\Admin\AppData\Roaming\73716c1eaa61dacc.bin

Filesize
12KB

MD5
8339eb38b3ed96aee5eec311fc2c7474

SHA1
7a77b0f4a49dc89d6384fbdd5b2d33942056692f

SHA256
a9fc153451bb9fda35734afad0ec2618d0f6d9e1e5942e6751ced4b72390200d

SHA512
a106c7f24152031dd46482e0f4b1c37e2caa9ac4ca257977972e1bf8da78a9435fc5a077d63abc6a6027d8ec508fbf19ed7ed0edd7a0cfd03028455368a4eb44

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9a1596b1c744e48a44fb3ac51512a8da

SHA1
979ab86f9a249e72e155113b60a535a2fb264aa5

SHA256
88bd356c8d4dc4aef691f85e9b2bb53709db4d92f74ecc9da03071fb8c849373

SHA512
9e47d703f36758e99cddb9427cedb375492d2d2a55e3a7a226da069aadd241601fb9340f1bd4cf338f7c63a3494ed329f2700d1ac3cacd239e33f03b4e708b4c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56edfe68ed9d410733a71b725a9c4907

SHA1
9cf4dfcc8b0a2df72ea9ef434e00e37f789ec294

SHA256
304f8937578924a9f16af289e1fda6a0e99d399c06e7c20b0d77acf3b152c5b9

SHA512
e8f21db75c2ed82489426f44b5aa67b3de8d1f595b9518d92b16f6aa0f0c543d5051dac9dbad5c98f4435fd0191d8af5e0e9cc0cf28499a79ce9a89fc5c76c61

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
be767cf11c94314516b6ea955baf2574

SHA1
821728aacbbcc726b0a4a5560cb141e0c6b0e18c

SHA256
1d04451c751e4a4de8b41b886c1ec6d68faaf9d89a7936bbc6d93a645dd6a337

SHA512
335e3941bea83a403a46f61a212ef74778d1c10a204348ba9decac9c127ad9a7be34d748a6f689ae0af0d21f5a51f27b15c1b13fc9840d12cccdb08026b3347b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c109bea9222c14d91aa2d758d4d344cf

SHA1
1998c8b23da27a3f8790b35bba4607d48146695a

SHA256
0670baba883d135ac60fa8c1b99b76fbda2996c04d80a94bd07f2d697776a84c

SHA512
b6c0e96657dc624be35e50160d5fa09fd25e5286afc1b8199d51a555b97c5794e87ba433412baa46e26f3998ad0fe4c5298c8c1e88d636b773edacae73aaddb0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
bc16f5bbde7e65aedd2f65c367f7d2b7

SHA1
65c3943b26ceb9839ef290c2b553dd3a533bbb47

SHA256
8d12a50b06067b89599e5d66976991b01c6bbf825c9307fd3df0fc6a6a558bb0

SHA512
f1739889ef09f5ede7b740021c3840f21977a1c6bbe5b811fdb3778688387bbbeeb70ff9b8d410a002ccef068167d7bdd8f72d26cb327548aecc897da5a6b358

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a31085f9389304247c3aca1fa6f5bb78

SHA1
d441b4e73f689ddc4c0d713cfb7875bb3c7efc7d

SHA256
895897843c4a4580d970d2212cc7ab6be6c512800c7ab2e18aa39dce061257c4

SHA512
37db2bb215051dbed0900f62f7eb942efe5f4284561329c2ef0086d008862f8116456f01b1a5adaac1ed286e0d1cab0c69a6a6733ab524d901c9688e82d0bf67

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
d07cbe3eecd9a544c5df62ed42985b3b

SHA1
a0c4df9f302c688750e03e8ad059e4fa26156ac0

SHA256
7418d6794c31f104401dea643257b70f1cafa585827b20db57cf3ad51cdad8f4

SHA512
25bcd4d5171a1d27f6abb3534d37da80d0094233972b598cc3ce99c20b97c62c065f2e82db36dd37f4f6feb03240cb7f5e5ec947da4f2aba7b5a9f72e090b70e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06286583cbb1bd69a010f452e16e9770

SHA1
2e8c4532499c0b386368b41e27037b9d93d9ae4e

SHA256
ea79a85437fef52d86f7fdeffb19a860e869d575698f7b38bc2eb3dafa05875a

SHA512
c2fb324f087dd803d6d442c072edbd5a7c8ae4b81e64febf838fb8f8e8fd1280937b91757fd1069e28e247743fe25c744e4cc89203e8789dd48a43224b5da42b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cf48eb3fda2da3e21c2108707f379ca9

SHA1
53888c9178072ed8f9654598277ac9f54058b361

SHA256
52df0bb80f5dfdd66494231f23076a42263384d063ac6d4105717010866cdece

SHA512
ccde41a6720ac221eec04e3ebbc5e1c4a7a945fb61afe1e29b16101c1f9b64b1981eb1f1110bf2722f5db28a7d712140b31b5311b5b430d8bef4050212d4bd1b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cc85cc63758a93cbfe34b21b95972889

SHA1
b8255a8989653864d938aa9c32cf8c90f831189c

SHA256
62023655c8238c2cefd2ec365163d355372c33c7ca1d3528466e000cdb63eb17

SHA512
7f2eb9c181065e84d30df7d7036ff347c2332a64e90ca535eedf01a55c9a8f40cdc36b60b13e49d11f161aeebcecdd2614dfb6731bc07050befba4a02c26140c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
6ce733a4934b4f0a24f48be62fee2bb9

SHA1
0314a6d9275f54342ccf237f9c3b2dddf8ec2f36

SHA256
3ce75d65420a2b7815c6a6c3ac8fb6162cf2dbf69b5b9654576a1543abdb9fc7

SHA512
64644a0485c63d505a666f9bd0e35b872bb501baa1a0fd7e030ac9eb15d5d1f1080da23d03f71c60539cc51c77265974a0105f6f82899775e9365ef06fdc459a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c2a6787c4a5caed9e32da92ea6a7001c

SHA1
fb080e1e58fa4884d8309ef4c73c5334c45d710b

SHA256
f4e490b75240f90bf3ed7cd63f07f197ac598605d0bd90cf446bbf6126c6e49b

SHA512
24bd46bccde58eecb9e5cbd7f377788fcd741601a3d3d1e6e81702d8beb219b46df3bdb6419d682b8da9de4000f4d58049495224605d48052f785629cba8d6b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
9272cec9912b51b9dd973f1791f02469

SHA1
7bbeb9af6236e74ab6b90da74b7300682938ff2e

SHA256
995464f96e4419127350d9766e223f27778fa1d5ee447b9b219a73881b1a0371

SHA512
97a316e59c03adcde2033db74a7619922663f20bb5f4822da233253eed978facb04638961014e264e322168258e242232e74e401eca386dbd0d3a1c89955df28

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
20ce05c4b9081714e2f4e05004526ee8

SHA1
aacddb7375d146599b539c463e530daeaa1afa10

SHA256
17df42eda2305a4d8f567e497ff75e399baeaf880d28c96e8459eab250cc6a88

SHA512
54fe7c4443709eea00af625fb034f67323fe48580b69fbe60e5f72dc1898a274d0470ce83453fa2dcfd16b5621e7aed84f2406e8f6be8a3437cdbf50583611ff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
5d50624f14b8379072aaa841cbc635d6

SHA1
8c691c48551bbc3c0520d8fb7eeebc80660d6b00

SHA256
9cdf45ceb4fa2f961056d7d401a5d0bd9c2b010f641de0eddc703e47295494b5

SHA512
71b554b5082d381176108c043fc82a286091c549059cb47150d3cefde17a9d0ea55cd144653ee6b099a481a8918c91811000de06e0c001904b78b71ba4e487d2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bbf4eced8dcb5841faf7b17226ebce21

SHA1
9adf821dcfa1a0c5eb37c7e93ae3f09de4159bab

SHA256
30a18dec45ca932a076c94d9bcb333b65cd40eb0dd60541dad4085794ef8c53f

SHA512
939bd2e51806f2ad784e22dbd8b9b6990587efbfcd4793e3209135a63c2064b68a8d662324ef22c0024e59ec3d6f4fd8132efc96145b6fe016017d7cf1ba472a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
30dd0184f991866c27ad7d33c002de96

SHA1
71f0e8e825fd802a4ec06bda373ad55b665f4545

SHA256
25be23dafb98e2af61b39d64f4f42aec1b855db9c616ba63afd595edf7b24224

SHA512
5610d0c1a0bd5da61de31355ea034f78d1a4047a5c1bba6fa9c3e062823699d1e9a9a8701a944aae02ecfa03fabf3e02dd0a09bb0113b998e9485dd498632383

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fb2bdcce77df4b2228a548b70bf982fc

SHA1
571119c5e7412e1d794d8f224917f0fadbf5fe52

SHA256
da4311642a24addc13d6487b66ba5933b380fa7571bc46d0015c79e8249137c6

SHA512
4f8e68b4ab9c8026b43d3329e58cf3d403b45c84667a102fc69b41ca0cc4a76bce0677bc2fa87ea700d6ac6e4ae529bc426e51a667dad17cf2e76b8369f7b0a8

Download Submit
\??\pipe\crashpad_1852_YBAWHJRXMIKGEFAZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/552-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/552-708-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/664-332-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/956-336-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-328-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1420-329-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/1704-323-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2076-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2336-56-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2336-55-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2336-47-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2388-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2388-78-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2388-65-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2388-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3000-559-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3000-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3000-12-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3000-21-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3048-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3048-23-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3048-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3048-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3048-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3260-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-327-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3564-344-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3564-707-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3832-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3992-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4060-335-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4124-104-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4124-92-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4736-322-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4768-706-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4768-320-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4768-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4768-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4900-69-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4900-321-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4900-75-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4900-453-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4920-38-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4920-705-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4920-37-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4920-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4960-334-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/5300-554-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5300-571-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5428-719-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5428-560-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6048-523-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6048-582-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-718-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-525-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download