kinsing | 50683ddb36493bd018c5c0a69ba63ce2701506e9de05a2149aefcc60e2c7afea

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
Size

5.5MB
MD5

5b138f089323333e78c979e4dbcae22c
SHA1

4b773efe47b437372b41e00e175d52e65f358c4e
SHA256

50683ddb36493bd018c5c0a69ba63ce2701506e9de05a2149aefcc60e2c7afea
SHA512

a46a9dba97ea79c8b6b0b90528d2efa9c7eca54daa927efac0fd8f577bcd3aae5ae4861455b477f680d0398a2e00b0c096f59b5f887b80312e7eac58594c0b05
SSDEEP

49152:lEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfU:5AI5pAdV9n9tbnR1VgBVmDB2Yyjl

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5080	alg.exe
2916	DiagnosticsHub.StandardCollector.Service.exe
1128	fxssvc.exe
4624	elevation_service.exe
4100	elevation_service.exe
1932	maintenanceservice.exe
3048	msdtc.exe
3716	OSE.EXE
1140	PerceptionSimulationService.exe
3956	perfhost.exe
5076	locator.exe
5160	SensorDataService.exe
5592	snmptrap.exe
5740	spectrum.exe
5912	ssh-agent.exe
6052	TieringEngineService.exe
5200	AgentService.exe
5332	vds.exe
5428	vssvc.exe
5484	wbengine.exe
5524	WmiApSrv.exe
5832	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6b27a49c92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6538206b14fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084dd88fcb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f96a35fcb04fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e253bdfcb04fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eec51e00b14fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5e5fe00b14fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef0b9e07b14fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e7e6a06b14fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094899cfeb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077e69607b14fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exechrome.exe

pid	process
2216	chrome.exe
2216	chrome.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
1372	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
4624	chrome.exe
4624	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2216 chrome.exe
2216 chrome.exe
2216 chrome.exe
2216 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1940	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
Token: SeAuditPrivilege	1128	fxssvc.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeRestorePrivilege	6052	TieringEngineService.exe
Token: SeManageVolumePrivilege	6052	TieringEngineService.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5200	AgentService.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeBackupPrivilege	5428	vssvc.exe
Token: SeRestorePrivilege	5428	vssvc.exe
Token: SeAuditPrivilege	5428	vssvc.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeBackupPrivilege	5484	wbengine.exe
Token: SeRestorePrivilege	5484	wbengine.exe
Token: SeSecurityPrivilege	5484	wbengine.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeCreatePagefilePrivilege	2216	chrome.exe
Token: 33	5832	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5832	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

2216 chrome.exe
2216 chrome.exe
2216 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exechrome.exe

description	pid	process	target process
PID 1940 wrote to memory of 1372	1940	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
PID 1940 wrote to memory of 1372	1940	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
PID 1940 wrote to memory of 2216	1940	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe	chrome.exe
PID 1940 wrote to memory of 2216	1940	2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe	chrome.exe
PID 2216 wrote to memory of 4004	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4004	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4704	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4756	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 4756	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe
PID 2216 wrote to memory of 3980	2216	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_5b138f089323333e78c979e4dbcae22c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe353d9758,0x7ffe353d9768,0x7ffe353d9778
3⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:2
3⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:1
3⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:1
3⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3988 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:1
3⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3768 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:2348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x1f4,0x244,0x7ff7fcaf7688,0x7ff7fcaf7698,0x7ff7fcaf76a8
4⤵
PID:3484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:2808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7fcaf7688,0x7ff7fcaf7698,0x7ff7fcaf76a8
5⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:8
3⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1784 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:1
3⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1816,i,5638467432884533933,10808115708395776344,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5356

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
256KB

MD5
a50017447d7d0ed920d7f8b14fa495be

SHA1
0e5323ef2e4a54c3aef1ab60bdf78d9bb7b67b4a

SHA256
b254e75b298f5053ea962a9f00df8c013223d9086919e5bbefa4d54cd8a57952

SHA512
bbb1706cdfb0c97b575ce672dd0f7d1033a81b1ebf9844a11e94929fd2194775e7f70945a576aac5e6b5be1253df2481a0f8d806a0c4445cb24919485fb31bb1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
768KB

MD5
7a8cd0e5867843ff74b2ae0362dbe6dd

SHA1
a9e19cfca595708b237d4ee5b949d71202d593da

SHA256
0d1767e8b5562c69f0cdf3528a13aede48c79c9f9e6ecc5afc62b97f4da8ea91

SHA512
4098f8042928a5cc9e3678b618bc1b9e5fe417e4988feb5a88d1b81787f3046a7b24e44d6afb26aa67ca254cc87df7b32f6acbd6b1ce93ee1a2b467d8538ceb1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
00f43544dde3519dfff11536eede253e

SHA1
a0b3b20f6b5022baffcd8873def2d5f0a2c752e0

SHA256
1dc7ffcbeff4d6d292e648791e42cfe5befff75f17c624884c8882811eda1e57

SHA512
4d72512665038b1ddcbe0312e19401cfdf14485a196e0ccd246c4c04f0cab4fc5b702ed74962ca589a04bcd6c4c2e682ef6dc1355e7b0d9ff5439213be8f232f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
d7f5d9075b9988eddd5dae7e4620eb57

SHA1
5ff9be561320969f8e9049ebbd92b2cd78d55ba5

SHA256
f4bea6342efb0535fd531897f03f262f0eb690a60f20fbadf352c774f193bb00

SHA512
325c392ff15324f74ea7135ba49f76e4dbddb99f169bcfd64edf45db0a01db7a56a7c7e8c7429f52c2593dd474d0161cfaf981db15cc441e15724cf43947b460

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
696250242032700884b1c93bf009da70

SHA1
64d15f01a7ce4c6723177a31d754c1bb823d911e

SHA256
6d8741091f5d208d3cd0060339c062c6da68b8be71633b098041362f7ac8caf0

SHA512
d3cdb4ad44ab03e40d0b0fa0cdcd921f29b3ada1f99c7f4104c2809e93a08a086807f3efd8ee333fa096ad0ca99475251de7c2504415a34de2c824f5186470d1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9e3443aa0d3e51ba47cc259be9a93c65

SHA1
f1ad267ea8643d6ad2c1d783ec739ad83ec4890f

SHA256
d6ab88b6fad508667da5ba2136b5e75740ad6f8478488b5ceb74c42866c20859

SHA512
89743b35091520c4b763f95a787b17f15e3f99f43c5a9a5d1437c2ff40f5b5f7077b8597e90b77fd2e6c66e6656f2d59969e1ad818fc6f9966bb285412ad0a25

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
3e3851b593d6e69a12933abe0a402eb2

SHA1
7b37d4896a2ea4d96adff7d6ad8461b188cd7f1f

SHA256
a31b90d30ccdf8671e7190a4af94a4bd6bfd73d36d71daba5b0d9918e31e85cb

SHA512
a034702379f45ddeb77ff8e39ac9322bbeaf76d51611f4ebe3b3714c291ea70f5207d4a6b24affa6b181df79e2ea0df96d5bb7e4773673a31fd4bdceea48bf8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
ae559cdaca89f249cab6a98f70a6ba6a

SHA1
4e667e5d94eed493f6f6e0f340883415fa41969f

SHA256
acaed5e38e839db132441b50146f219f3c640c8351e17771ee90cf3e39b1eee8

SHA512
b8380a60df6c26777c631ab5beb2004499bcdf4c53f6c9df156c6fd1c5e60c81e4335856a0925b0014a0f5b6c2a2b1798961b886c17a48b7943749b1ef6e6fad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b251198d0138ac9173e8278bf3951c0b

SHA1
2e56d9ecd298c5cd19047b9dddd82f6547ddee30

SHA256
9759e786e85e748c8eb203cc2e096685b1353e1669f84dd66644ff6f30b69726

SHA512
597b4d59189e3459490b937e56c1c3e129e74d0907d581a3a1023bea7547ae714d489893037c5bf0daf5b65d70d4f1aaa41461fac5055d7665a403ca5d567f39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
ade975407f7223395063264556ea716f

SHA1
0bb7eb4ccc61e8dd7c3336ae3b50f3699fb2f431

SHA256
ad98665a4b1649c1f43f683fe2038967a5ccd59835a9a884ca7c7bbed4edd70b

SHA512
a3b8ebf86a27d1d32c5fce0f4380ee4691ab0b69ece82399f29c5e44d455f8238ad3b252abbc2741d3d120fd4fc1f64640f09a978bc0200d01f69e4af68caa5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5678212bf276dc38519ffe97df1a4c9d

SHA1
5765a3ae1af1bd3a956caba6b2034ee0acdae8ac

SHA256
7a0bf4f628ece310be9a31c01ec8b748e9023704875899f42fd9478938fba1e4

SHA512
fbe503a80d6ac25d088d8ccc191413f93dd2520883c05c9a1f170f50f3f37f50dbf72de1fa38d62efebae13493fcefa7ecae33b687fed9db7367a10760eb2ca8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
6a8e3d83df2147b9a0f02072ab50dd65

SHA1
4ef3292e06d34228354380bfef81a8872c58a5e8

SHA256
530981fa92e4a0537fca29c0e5d0cd3e9bae92e92f199231a2b84f1bd0983335

SHA512
28fa6d71db36bddea70930a17648a0d105929a5b97a37887b350a9932fac1b0105a1c029ac63f122ba95989f1dca90721f810408bd815b66bdd8f06ad2d144c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
f04df2df8a450f2a459bcc6d24fa1bc1

SHA1
2b3426b76b8ac864d846d37250fb7f578365e77a

SHA256
6831bd585c7a2b9ccf33ec998bc11991a8e4226e14e18296214338c986b5b4cf

SHA512
6b007b5e6a8ea129ec945c2b5ffe0d53eff2e9f1963b4c22386ee5e8c5c9f2cfd376a197614870fd12f8227e4185d3549bfec7c9370832daf3351c1ca7e11a54

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d251e0a8-2ad2-4d32-997c-7df26e21aafc.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
2af488d7c2c39189ff01874e67febe76

SHA1
c66dcfa8aa8f86af1a27a65a412d695a8fceb780

SHA256
177b9d8d62fc1d43a9847abc7e8655d93681c0a5ca53c6565fab2099be0de73f

SHA512
1d30de09ab1eb5bbaf783b43b6bddfb4132f3464ef70414b006734560824dd6a28e8ec2254c230a786bada567bc3c5605fbd318d03b59593528879d543ad2516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
8ae25b226e0662d256cdb32f2777f840

SHA1
39594f82a6dd98b6e4a341648cd56e9efc6aa16e

SHA256
935b4cba7114f9adb0c7ae6acbc8903ec672ae318ac63c5d5e5edf857b4db207

SHA512
e529649b71c7a7fccaabc2833af3cbfc9bb15b66cc5735fc95a2bd741c502bd11af05853946d045a49d823e3f6899523d050fe7d33c485af5abccc8e2ca02e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
87efaf2850a1e7bb8730c991a639aa98

SHA1
a85dd25bd3cb8bba7bc7a48477cb0df855fe2660

SHA256
c3e5a8fdf72adebffd92c85bae08ca369bffd08e2fca4c70811c2ed09ca9d28b

SHA512
919450947a97420352c5169865d233870ce6c6306cdc16eb98d076087350bc40b8bb411e8b9b6e534b17a3a98df4bbf51bf2b27940b94a99d2bc4f4730bf8f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
db2cae3ff336d53616a17ac8047a94d2

SHA1
4327abf9ee7c8efe65c9e139bdeea022b7f2b1ac

SHA256
c1db75dd61d8e88ad25fa238d3bbd16249be6bf3064f6be91c9d2f741708560b

SHA512
4954dcf07a50133af18285a37c21a14be397349685d8e2e982ef13e161cd48473b588a9779fab71151738be1f01e5c586a896117397b938a1b5a7510e2c1ceec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
002d35d8a44dfe36cea0103eb8d4b682

SHA1
d5e2da020e52fe34988253938e068f3b62d36ce8

SHA256
bac24d2087c869fd07fe7ce09f0092b81c5ab501813e34261357544310b0372c

SHA512
fb3a97d62e0a4267a6085c9dd0eb796ed4816d6f9bf804a77bd7f3dd30531ab89a677049f451b31e6620940aa8a5b27a163e0660c171de88156608fa210c7eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
35e405b5e7f419401777c569cc63944a

SHA1
4ac9eb83f1b8871713afe24782dafc3239b222ce

SHA256
735bc8e21458a3d98e7b74ace0b2d175725a50e9600d5d1ed30c441b932596ff

SHA512
f1101c52b3a209d01da6e756361d94cf6b93539273c43e45706706e90a40e3d85e10259ca9f0b71a31eca9d4bdcbd4701e7605336d4a81308b40aa4faa96935a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
d7e2590c8aecbc8c59156c01f366b20a

SHA1
ac531dc5d4310af38076cc975da11eebc84a2de3

SHA256
8cdded2e53f4de1f04238f2aed127b87abf9766beca38323005a5fc51e1e9036

SHA512
23afeb2a64f0cf547c00610caedec928729dd27076e657f10e086e7f9af96421ba9e1c49975770612368ebe0f925c1ad7ddd28773f3196a358317a89fd79fe30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
b44579211a36cc068861d1462ad6b33a

SHA1
e027b65691277af1e863584aaf7f53447cb4cba8

SHA256
0ae0df23f775fabbde795780647e4cc902d85c5ad7ba87fccddfd3b33bf03673

SHA512
70f29ded21bab17c0a45ef4c74f50c1a6770bd7f180874af2beb31adc1704cc1825db31929b7f2436ef7a3da3c66d207187459bc0fac339ceabf582ce0d0dc24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
80fadd11e98b4c0b97e7ee25eb4e2e5f

SHA1
9dab9d659a639bf483caef741b1f48ca7341302a

SHA256
7e5d4e3099faf5003c92aab9b3c0917961b4eb54ff212e055740461bf8d1820d

SHA512
d4b7424aca30f545f11368bbf71ec6e41252cdb59b5de50db16008dd3f897ee96e00d2c15bb1f745143a23c9b4c807e4dd100b83c8999ad16bcf51552e2d0fd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5800c6.TMP
Filesize
2KB

MD5
d6503f5e16a8bf2a8f64f5ab2205b728

SHA1
6c0b1af9431e1e6438e0ed4d53095c0c80295489

SHA256
52c98a5c128ede84b7f56b888d2b86e010f1bff308c5943274adf2ab3cb2b305

SHA512
0653c860cbe62e788da7de581abbbc4eab31b682f9ef7f8ed0fc42746af7f45ef7f67d35d01d1c203c7e1fe275fdee1a45c5ef9bc5ac93fe62b8a2069f51d790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
adb2b3e4a23718e45e36e3aa9c2dcf66

SHA1
d117a365d50657168400ee287f2aa6c2b7581bce

SHA256
f5143a01f91ce491eccea149a7280ee69c91aac900fb9dcf71755260e8a61430

SHA512
b21d20cd34c3ce771e66b4ce519f59f66275805763ee79fdfb8b6787af30555d4ce729d031dc472b37eed61646114c38e5a90b1876a35aadd36b3931bbd9fa48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
91ad7d4208850fb87ea3badeda67ef18

SHA1
f7286c303ce33bd52b5e26115549e24f167084b8

SHA256
ac20e4b25b80e09d766cc50c3dd458c7396c4905a6f2e70a569fc287c8e28b17

SHA512
8d9b5bbdced7c777fdb06012f85c79f8ccc4d681c5d298efa56105ed0eabdd44455d193f35bd6a8105db82e2d35719341976d7df3a91720153f414a5eee6e6a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
231KB

MD5
78c53271d68ebbdc77f16a328fafa91f

SHA1
1648179490757e39d7dfa88a1bb28e13283477e3

SHA256
0738fcfdfb1d6dad7b26f0888c71a7546c73847daaafa5c6fdd5e243e17b4056

SHA512
6ce1bb1bf36db5d656332517ff2269aae8a0baa5150bc2f0f9fc51f127c3b72ada5536878a2210b562bfeb2aec44301527b34f2af64fa2761906ccd0a6812e60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
394b75489a3b5fa782fb6b895774a2b5

SHA1
cc6042e6f48fe09b6da4775878cebf5c534bc16f

SHA256
54ec307c851e5e6edfb2fa8a199f3559c63d4137c0d31e367a2990a971cdf922

SHA512
0ac3dd2947fccb36cfe5286d3af1253826c849587c5d0e2fcf9aca31c293596092f37173e69a3d6d6426308dee219eb3287586cdb98e63cc6786274ea11d5dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
89b954ee9457dbf36c6d3bc078c24066

SHA1
16eaf9089a57aa7c02af8be48acc3134ace8ad6b

SHA256
b2ab3be81c41cf614652c2978a1138364318cd73e30eaab9e354bb3ca14dbc2b

SHA512
a9e930df768ebb73913d715a8f36e174241a225e058eed5bbab9635446ca0160d08292621d9f745aaf3c4df10dc09fcc2aae71e5af21bc74e9e45f86967b3ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2216_751931395\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2216_751931395\e1a4d1cb-7b5a-46a0-b139-272db8b34666.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\b6b27a49c92b1ccd.bin
Filesize
12KB

MD5
03d61ab2d87c7c1deb468f5c44f0714c

SHA1
cd95e0eda9fbd2377c19a672699852c6439cc31e

SHA256
7f71e30be1ef5ee86b4cdf8b006f05b0e39448e7e80d0fde7ea8f372277cef6e

SHA512
9128cf3690ececda4759cc5f2624b190dfaf69c729c85793c66f45e1f460f337a1e3bb5d458b2a5a616e97f5057a181a3738fb643f25f944ce469422902f38b1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
ffee53bae9ef3bab9ea75ed1b3f139f7

SHA1
1f36ae85e65058189b23de6d78a520b9f26461c7

SHA256
ea5dae0f06324c8cf36ace7a5b5325135ef8e42e5970d0723b8dd7543d794151

SHA512
ca15942917b3fbac5f289591de0b205b71791822788d003a74e71cf38f58dc9105fc0e500f10bf743fd412cb80fe40d298eff6bed6a5bdce9ed0400161570d62

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6d8779f627a8ad25c74cacbb1d396828

SHA1
7db5710a5aecb497e7a10027e56d31a0b2b8442c

SHA256
cdb7e7fac061e3ad2106a4cd1ad07f5857b0eeaa732082739f562182492e9cd9

SHA512
1c31749d8130f20ef5e740ccc3eefa9a39bc6d251a9fed6e6968694661516995183680559b659601e45147a7cbbb99cffe2d40875fdf5128c341837035532e0f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
82d2bce5e0d1b13399a7ad4afa579ef1

SHA1
8c356417ebaf9a934996c982b55914a951421bae

SHA256
acf06ff866ce08ac9ae3d978e586e2559e34ac7f98195d7977255b1ea78622cf

SHA512
0f1e829b9ae3fe1d5e83ca27ee97b8efb51564fbd1a3d66cc2648383c53404ae8f6bf0150861e19e0162a508332151be32ff5cd66c32b01473c02788e4930a1f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.1MB

MD5
f5d3fad52b52736f2f4f938b14deecf7

SHA1
d5195a96140d48a6f7ae7a8b07565ba48673fa74

SHA256
51dcf87bea642277e99b99ef578b971a9516f7f9d0cc1c89e60758b7ed5e81e8

SHA512
e6fc86d54444d581d70e016a0dd65a4e0c6d4f1eaa81119b2192fc8aa245e254a43291426a440dd14f769c82937a74538d247d9ca9a3a1f6a8d3b69345c26fc7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
aee55c662ec75b7a2510899d54ae2ff1

SHA1
184289f9668838558b41af15176a52a55c7fd5ea

SHA256
4f718129cd370b2504998264db8fb0642c5353677ba1638c62ec52bcbdc233e6

SHA512
e31fd92932354e49f49047a5cf72030a1aff765812a15f925316853b6dd1cde8b7701720e9fd947e279e890f8efcbd24183538fe44ed1a75d06d6fbd4bc3dc5f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
567742f7fa07edcaf00c16f8482ea516

SHA1
73f1f330d2a54d5c0cc3a0d95d13d5d44739b394

SHA256
5efffd6d570aefec4197a55eb4e70023e6213d1f117c95bf69fbc872dd2a6458

SHA512
45f44c8314acb1796e55e7057f768d7689fa709c03ce4b11d9cb72158baa348384faffe2972f469c913b9b0702bb71d4b695b1a0182c07a875ec686dffb0b7f2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
c42d6fd48414d8ded1c49d90cbb47488

SHA1
d142a949b6a5f68bf1b329925cc62662463280b8

SHA256
90981c2ff98e8a0e661a55257afa83819b7bd52faad10d3a30dbf11a18931681

SHA512
412007693e63c4c07821c9ed70f7b12c0564e71f1aaf8608d1e5db9240c905542a7959bad9d09f671d299e0fd89b903f8fa2e8b1fb2e004273065b58281622d7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a7f1cf6fe8a95d26cc36376942c8760f

SHA1
dc235f8056930877e83b7a1b6da4389809130ca2

SHA256
b6ca2602bc0e69e91849aa65e461e8cee9172cac8369604cfbb2e5ece93c311e

SHA512
526a83cfc04ac0e401dcd3de08df568f8b6606c669ffac6ad7a388a55d3823e19f0d5c22b18bec4d597e972e90eaebd5ae6b054e138c189d70be8ae7bbb9ff13

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1402d2f552dba0ef7f0bd0d0a610d7ac

SHA1
457b9f9d588e3da32482465812414a8419c435a0

SHA256
e1d59db2cacc46150933fa792518ea048ea3cd1b1eae79481deef1cbf6e7bf6a

SHA512
47725d1b0a6f709acd5701f9ada4c9a8db36d91eedc9245b5a353097f0730ae0b3968d0d8f09d1c4cb693d71c0788aada37c4ae973df3086f554fbcfcb685104

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.6MB

MD5
85f427fcb01ab06cbbc0c0cb49324aa7

SHA1
873a2060a1399baf9b853758210a010b8a15b3c2

SHA256
94d7f2c84eb12d6ed4fe9dc08926656096271f2adca7d73496d1562dffc0baaf

SHA512
576701bcc5bef898dbffe0f104db39bb21bf25b2f1c966d84a857079d0c8bad0c254d3c08f4e88f7d57e8e869233d8850a3f78b69c5b7edf8b9b123034a48cc0

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
66e7d5b52326d095f2f5ff0980ca6c24

SHA1
547dc1fcb7f1cdef2ffb67f604a0be3252d17d0b

SHA256
b204e9bbcd0f8c514c786366fc07edbcf639986efff3d6c76198f5abee266069

SHA512
84123b50d5c57ed21ed72674792a9c5ddcb2c089f1fb6c7fc8eccde31eb5adb86477857d4261ef121222d2bde7050c5adf861ba11f534a551eba78a262ac03f8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
2e70f40bfd7ed6254f5c123beba88661

SHA1
70b5e6560a723e086230b32a58637c38436c1d7f

SHA256
7f37fc2bc7677a7fb7a7e03b4d62737d051285dc0cb2023fc2c8b59ad2d50c90

SHA512
101d73fb5e9bab4e1f5d51e9dd1e8d2b4554d93f4ff7a14d8eafd69d51921b00a2fbe05aab6a4db0dcdd5751c64176a30ad5f8c382a4c49729aa732e43cba8ce

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
788a484856714f3fa8b0aba1c64efac4

SHA1
7acf6710fa2007adab7242557a3181ef493769e4

SHA256
9312a9bab4bd9309e41d178f67f992455c505c5885edb2f43ec10bf6327b5cd0

SHA512
57b5867607951ab43addff6c16fa03d7cac8a5c609e007a5b90b281baace98e983cadc0bedb13f61e3467cf4d170c0e25c5025edcd4d05fab71f06d6266dda1d

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
caa8baa4692539b3f2feef0f53949988

SHA1
986c3c796f602981977fec88406673bb202388c6

SHA256
e96444a3d821a901b7e508dfe8a17159d64a1d47e5235df2d545560fa18833f2

SHA512
63497cc14a0b909d2bf708a814c9790e4cfe32b3a8721c38d848afae74f188425c0a494dd9bfb0d7a8ee84781bb8a0ed46741e43e9c20cd9faf20d2e27f8a65e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
863aeebdd8a311b352ea9e3a10e6f5d8

SHA1
e3e42a912e0b568eb4b7b66bf83fd8e55f53f4fd

SHA256
dc053944d9fc955193c68e11aa7286f2f909e871a2d3dd59bb796131b515e871

SHA512
c157aef2edbbd04cbb043756269b2ab4ad6af26bc8e87a53066f8d6b8dfb722593dc46a420af8b3cc7953c349bce4373662c3c9d3246b653b0c72fbed949882d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
f8932afc4313f5f239a675e231c71903

SHA1
fde9515c02b7786d70cd93844d0ad48285174291

SHA256
b04298a1da13040efacc2bd2fce1f91a3e86ed02f856e79f608e7b74874cfd28

SHA512
330582f4a1615884bd0932b9b2292c29b431839ea1a73e7e7fa5a00856853e4e325a7e5b87d1c57010a74f416a88640a7807729010274849f5a4de33cb1b0853

Download Submit
C:\Windows\System32\vds.exe
Filesize
960KB

MD5
8e076b3ecbfcba4be7bc575e97ec68f0

SHA1
5c66b54bf594479f0752d803668c08dbce9b782b

SHA256
1ee1412680ff242a71d7ef252b7e96a8d04e21e44d6451afbfc743264a96f4b8

SHA512
fe5d9dab0e3d21b87943492a5b47bd846a7f0df6dd587875723a3d94472703e53b942715499373c81ac17d531eae814c672da5db583333f98722f5869323a5ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
c8605e9f5099ced2cc9a657e27777389

SHA1
e479b049262662aed4d11482a19dde19d1f4d30a

SHA256
819a22e669f6c266749ced78ad8224030d6c4d1d6b6195ff058a279b88ee4005

SHA512
b9702221b635873665540842439d32072e61163a2dceb07439d351fa58ba15536ec3d8bf2eb2ad12ff24f8e1a53d58e0f749e15ca4893cc6b724e412ffd62f45

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
251dcfa0307e9898453b12db7df19b50

SHA1
f9f7d47b47d84c6e40d962f042a35fd566564623

SHA256
4e14dafa1200a592f18a3811e2792e69c0205ff77a61fa6e5810c1fed2394cce

SHA512
af36ea3fd20f0d1464e73867c1d8de6c67adf1337ff25e269a6a09667295e5025f1baf4c9b7d7b4c3f448cbbf601f72df91f1a5ebfc37f967d809632674f68a7

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
af344663564acc8d79de314080d8ade0

SHA1
7d94c4a55f6e7a32292c9d2b730d7f6847efcc29

SHA256
7b7eace26de275f8af21286e76a4c7e7d04555dde0e8d3f5603746939800f06f

SHA512
8447040dbdae5d73c28b65071fd9bd8f9252c4684c20343a388df7d320cc17f603f85808889d45b70221aa095db524f9be41834e5fbf0ee31232fa38471787bf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7f4ab0436e67aaa958264ad50e5fc5f5

SHA1
131ffd9ab4375d84a804a8f3fe676ca2259b3f1a

SHA256
2f465100de07f55fe8e0bfe8d333592ebbf0db491e67a0e6c02b43230360af96

SHA512
f8860efbaa1043f640a6c6e03fddce9f281b2174f84d5d753be0f7677b2828e078991f29a7e2fbfdcb1b47597962cad4b3123383e03a90799c38079df2502f11

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
3e62cba81b439fd1213ae0170ae2992a

SHA1
34d2f35adf43fc61632e4e21c33b447ec4481cc7

SHA256
20d9bb1630ded3500babf69ea6577b1a9603bd6b95af36bddb732c43014a6a75

SHA512
0f734412910aaee3e0e7aa905fd5f68f4d61cba45bcd69759da7470c6d9d66f7b3e64a50a138707844e7bb60186fae6ffdab1ebe3b729dee49bedd3d2cf07cf9

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
d616304a0c22697b75d4dbd2f6572bf1

SHA1
19f16ea61c500860e6c684a32b11aef4515155ef

SHA256
12e027e7e7bcd592bbbd663fdd3cef80589af32a268bae9034fd9f74d9e8010d

SHA512
45fbc27ecaa33512f5bd1b417523c6d17e6d0cce4cb40e30cc3d51c0e5af63635c51a4a34a5abf78a3313ff00d3ed4312c4230e229f0f5d39a8ba86237ea3b37

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
d0daccd4e991db336666f9f9a8f3338d

SHA1
5c294a25a50d8f85d9521475222bf65dc3fc4f60

SHA256
36b3eed8b6e68715bc843d5b933612ce96f9163906090488ab0584dc4ccf92fb

SHA512
1be8567a1163e422796cf2f79d7e578abb64b2faaab8a0ae66bd52d2ea20b3601280751301225eb92357e879a2d7b3cf5127a88d3f0b3117a33b397bd0184232

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
26fbf1505bed28f30d34867ca5da650a

SHA1
fcab133a7584a07c1d173624fabb37dddf6a87ea

SHA256
d40785260457de923ea35d64190541e43fad17173efaa299ccaad4b315faccd8

SHA512
603632b962aa7a28cb0e82ea8ba88848dfc870114986e3bf117b51a941fbd8755e6600de83e2f6666883f63a6c00d0cd0926bd036a89bca2e0abafd397fdb571

Download Submit
\??\pipe\crashpad_2216_EZOTKOOTUKBPBHDB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1128-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1128-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1128-61-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1128-67-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1128-70-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1140-368-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1140-186-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1140-176-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1372-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1372-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1372-20-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1372-19-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1372-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1932-135-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1932-119-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1932-128-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1932-134-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1932-118-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1940-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1940-26-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1940-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1940-8-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1940-33-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1940-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2916-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2916-47-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2916-54-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2916-137-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3048-258-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3716-161-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3716-171-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3716-355-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3956-397-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3956-203-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4100-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4100-100-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4100-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4100-106-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-74-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4624-75-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-82-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4624-115-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-112-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5076-243-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5076-252-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5076-410-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5080-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5080-25-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5080-116-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5080-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5080-24-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5160-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5160-423-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5160-289-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/5200-424-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5200-440-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5200-437-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5200-432-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5332-441-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5332-450-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5428-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5428-463-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5484-475-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5484-467-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5524-488-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5524-482-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5592-365-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5592-356-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/5592-439-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/5740-369-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5740-382-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5740-453-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5912-466-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5912-398-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5912-406-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/6052-413-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/6052-419-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/6052-479-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download