31d7edbcf9e913517cb0267ec4093c06d0ae0d51bc990894c14564ec476c9408

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
Size

5.5MB
MD5

d3bb39de484d1711e21f65f20336d8f8
SHA1

f1dceaf9e245573d2faf344c22b4e460c78d44a8
SHA256

31d7edbcf9e913517cb0267ec4093c06d0ae0d51bc990894c14564ec476c9408
SHA512

6a6364131fbdb7c55f6f2dc8e76e5cb1216b6c605e8275251f11c165fce83c5f91bdc7e53ec63162c508fc8b92181a46b4648837554543d0482cb00885543239
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfE:/AI5pAdVJn9tbnR1VgBVmePHn3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2364	alg.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2100	fxssvc.exe
4772	elevation_service.exe
4596	elevation_service.exe
4636	maintenanceservice.exe
488	msdtc.exe
2532	OSE.EXE
4304	PerceptionSimulationService.exe
5200	perfhost.exe
5336	locator.exe
5432	SensorDataService.exe
5580	snmptrap.exe
5684	spectrum.exe
5928	ssh-agent.exe
6040	TieringEngineService.exe
3156	AgentService.exe
5208	vds.exe
5620	vssvc.exe
5984	wbengine.exe
5396	WmiApSrv.exe
5980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exemsdtc.exe2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91fc18eb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b06097575799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff889565799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc601595799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c35c0545799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098aa08545799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000879c92575799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aed8c8555799da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002beca0575799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000281db0565799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exechrome.exe

pid	process
5076	chrome.exe
5076	chrome.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
1464	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
6720	chrome.exe
6720	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

5076 chrome.exe
5076 chrome.exe
5076 chrome.exe
5076 chrome.exe

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1780	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
Token: SeAuditPrivilege	2100	fxssvc.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeRestorePrivilege	6040	TieringEngineService.exe
Token: SeManageVolumePrivilege	6040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3156	AgentService.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeBackupPrivilege	5620	vssvc.exe
Token: SeRestorePrivilege	5620	vssvc.exe
Token: SeAuditPrivilege	5620	vssvc.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeBackupPrivilege	5984	wbengine.exe
Token: SeRestorePrivilege	5984	wbengine.exe
Token: SeSecurityPrivilege	5984	wbengine.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: 33	5980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5980	SearchIndexer.exe
Token: SeShutdownPrivilege	5076	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

5076 chrome.exe
5076 chrome.exe
5076 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exechrome.exe

description	pid	process	target process
PID 1780 wrote to memory of 1464	1780	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
PID 1780 wrote to memory of 1464	1780	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
PID 1780 wrote to memory of 5076	1780	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe	chrome.exe
PID 1780 wrote to memory of 5076	1780	2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe	chrome.exe
PID 5076 wrote to memory of 2488	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 2488	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1512	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 3312	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 3312	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4136	5076	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_d3bb39de484d1711e21f65f20336d8f8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8b759758,0x7ffe8b759768,0x7ffe8b759778
3⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:2
3⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:1
3⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3316 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:1
3⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4540 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:1
3⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:5760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:6032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7c4f07688,0x7ff7c4f07698,0x7ff7c4f076a8
4⤵
PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7c4f07688,0x7ff7c4f07698,0x7ff7c4f076a8
5⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:8
3⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5404 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:1
3⤵
PID:6448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1900,i,17919834850316024536,3730058183587337834,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:488

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5196

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:6304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
72f2a3310b23b2eb027183d923941280

SHA1
198ed1f9c2520e4ce8fb077df8c296496ebf2662

SHA256
dc01cb530abd34fdcddca7d5df8e2f4d766342ddd8b463ad55dcdb1e0d348b5f

SHA512
632a2a5ba2b03d28bca4e5bf87a6862825a050ee7498c29b82a8351ed6d25b1f4092a9142b8e877d04243073ce3344f3d12be3397343c366ae72351ebe71d2af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
69fdb448aa8ebd6dfb2bddd0fa7da80f

SHA1
fea33f6cf1121b704b841f19aabada8cecce8114

SHA256
480eaa1928b34bffbbb39d685fe2e1ea2c0e2ea84700a8f459d433ae63aacd59

SHA512
c2cbaa84b4633cde8fc46d3db9b70d41074e7e26aa91129449270a9322fcc574469fda049a2542c33a1e6c603fa37b2411fddb9fbc28b595923714836f55c62b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
96bc5de67f571b5c75eedbec69a3c155

SHA1
fa52f0d5f3303fb0e60c1664fa3b843f4a36f7d9

SHA256
b58afaa21665505a70c23c5a7012c8c4bf337fa2a9b51ee5b5f8c2b672a42091

SHA512
10550cbe7e425095d7c761e96076bcc560b80443359bd59aecfc4b08ac607e8bc2b51acb677269c84afbcb5d4613860999091e79f583cd5903face5879515206

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a0c246344557b5e32aef9c6113ddd487

SHA1
18ff7ddaa3e1c1d07f4cf65074d1975eb9f3e227

SHA256
d6427865ba9babfca61c8c6f71364b1955babd3dc65a35890db5a965c73d57b6

SHA512
46843b355061ef9442d7f29a7adb57dbb4717c62c3b176602c2a02e424eac0bb1f6c699321f3f7a28ec0a8de44720a1aaf7b2a875eb123e8b01c6eaa4472ccc2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5992e01027e77e58ec15973da53822a4

SHA1
9b52e46a84d070be5d799690aff52099bf196cab

SHA256
b2a530feb15c4c2585bf5b27da32034113c18bb9bda6a3204293c5e904bf5066

SHA512
10d6d99ed9def9b6ba012c6411b523dbd9ff6859213b412a67b882b2d29ed5b59b8fbc8c42855e69406f57353e7d7d8a9246ebdfb16beb08b52ca2e449db2456

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
35aeb7e82b8aa23c23ed20369f91e647

SHA1
ac12f73458ef5fd57f81b5a9b165cb1808b78f1e

SHA256
a302d6e6403985c777d3c2535da027b12f1d5bd245a165d4a8a780e6d85300b5

SHA512
5a5ba9c70ab24f43558785f347f9fab7792339a447af7ead1e6a3694496a93ce7267ad9340af9c64c14f29f53cccd2c07f4d28bc79af2330092407e3c640470b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
4541dccae4a31c075ead026943fff894

SHA1
a4b0a54119c3e278fbe456914e8bf28d4025acee

SHA256
7c448578f00a41a05b8e436780822afa83c11d18c0ca886bf821ed984358e1cf

SHA512
264f9f73353bf6346b8687c675193c0cb07d3ba3429f73a942a0f0223d737c08395f4d5263b0691f177625614c5d9f0cdc3443955a0894be7a3e538dce54e26c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9b24f6cd73748d87a7d314f8b406af3d

SHA1
343fdf058a3525e97af2a8c1437df9ba76248883

SHA256
69840646d0e5898a07073c1595fa96df08cd1fadbc343f4372cf67e6a34d537c

SHA512
519658df7ec4c50d83c9ecd23ca1c31167862242e42a51390b5a661c96d0c8e741e3eb809ad2eb4ae69b4e05611d2a1b9a8e5396e972dbf257f729c95e79c11b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
0f5b00065def3482a1f3dabcdc716fbd

SHA1
68458a4c4fd53afd4824f7c017cd0e214827e14a

SHA256
054046f1313f5af9fcb58a5669441df4688aafc48efc73fb095ad49075a797a8

SHA512
318357666b892e2cf019d0091742a7b0b74b1d1876a2a3861f036aed106158d4257489065a79438e0a99d71254408d84d1478823f7468eb9eb3931347e293389

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
3ea17bfacfb6cbed9ccc79a00d09255e

SHA1
0fccd6e6a4ed28876722e58b2e6ae7cc386ced5b

SHA256
7ba689505eed6a490d253ef2aa4736915a275c8839dc368369c522d7f75fe018

SHA512
d5916b3758ca6ec1ab62aacd62f61df6cadd334aac8b679174fd6caf66860e700c5bf03bedb06daf709d5e5cead7d4cb73cff516eaa48fbbd062a1bfc5170ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7ed46d329c3cd4348551f22a64b043ca

SHA1
a9cfaa7c3e8a409db5e780ed0ab6cfe8bf16a894

SHA256
83e8b3692103d8159f7359a7ad2b1623e0733a024f2830008ac7d5c4b0db8a3a

SHA512
48b6f469d2cf7c3773a9e3d8823de611ba7a407443635b76d543558766338a36d08f55300f897e79a052503a313fc8d639d4f38da3411c302d587eca05ca1cca

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3a428b98f3ea204ad04b3115986abc41

SHA1
f6f404cfa3ef29689d9113c36de99babed3333dc

SHA256
00db7240a2fb888b1ad2d0673bc324f864e2a396d87086d3d0e4d7ca5ab67f35

SHA512
09a78144fba0b5a329afb195e8f417e74bb2c222d6fcd6670585a5e8a4fd6492e9260175f2289dc7958deedb1a76ef3ae7991777ac21626809774853321e7099

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
98dd68589d8939dd33207c61159b92b7

SHA1
5bfa587006f22cf05908cdf10c59b77d3adedfdb

SHA256
e8a5705370e72b8428f06dfd2a156274d2b3ca291352897417a4c5209272aa9e

SHA512
4e7b901c996988e4320902c2412b474d8d84ee38c7caa7f3904eaa790123e934166e5f805b475352adbff84429629e076768402c7362278bc4f3597ac49767fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
ca937adfef45b06bebb193a95918c963

SHA1
ec054a457e833af69fb70ae9cbee607c6bcd7e0d

SHA256
4ec1f9294adaf4d1ace0622821bf83393727cc58558b04b18ae231ed5d84f48a

SHA512
f5773219c047448dcddfc62c276732c0742ba14bf38814ff3c0e25f8cdc7f1a37a143c9d0b3b0f479b09c03e998d8885f7060c65d88f8926c3bd08b1940743d1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a3d14d91b54ce8805d67aa1e3a5e2f74

SHA1
27ee2d7fa9e2f7c815ac8b9275045cc607850e9f

SHA256
bb3acd90c84bec57ced051b4b52ab3723346254acca1f9e1c4dacfee713c0a8f

SHA512
290dd482a3f00e9f6f713925bb1bc8754b498b1d7ac88b8f8913d605ba347a590aafee7238e98b211e31598e0365defce6431e29fd6efcfcda63904723524fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
6ec6bbb7b8955760c2a0c4a386a13858

SHA1
3cab7a0534e1b8201c175d3a1e2b75bf8cca0f99

SHA256
956e44fce7af60f558c106fd11173c687f062520808654f9ac4c9c9b13fea377

SHA512
0520b54c860d63abf596dd2f7ba73496f8a6cec4606ec636e5ad268c27e995eb774399515a2a96a199ddc70300b911cecb746324ea38b2dbc26addaca7b9d5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
763d879900937a9d5d4a31981cb83cc3

SHA1
1fdb5c24bef527572e045c17938c5069f9bfb772

SHA256
2bb2a1d068f52d05c85653064f2e22a33a17748bf77547f1463a7a9f13cf96e1

SHA512
a915d2d5b4c132cb547690a07313e5b4b72654223888dcb74f48f3e6dbef00aa560bf909b58c3406552f6d71d18ff9ed9d7f939443434a7f4eaf0394e9e428ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
17495b8a59fce0f816a7588846f9c576

SHA1
247eec70aba915fe3b0283f7c2d181843883e43b

SHA256
b760af4c0474c7366d884e01b82f0662537de9d1ec2732db8f0cabbbfca53a1a

SHA512
291ed242eca4b4d0c22f8cf01f94725510e446f03f447000d16b561c852b67ca55ae90ba905b8bf139d205b1d3d428130e191c036821f984185b463c81352435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d60508bc22163c6e56d5fe7fb6de4f30

SHA1
2921c5298058b75ecc5c2ddf5e83eb3e2724be57

SHA256
31e849c99a382169f1a9b8a4048b81febef9cc01bcfade51455c344733a764a3

SHA512
ec065594bb8bf34624f05546e23989a29119ff7890cbfffe8e91e9fa30d7c6ba304b759f1fd4acdbba34dc0ed17602c309d10b41666d8be07a800034371dffc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
7ae7cfddda33e8b408eb465896d987f1

SHA1
b9cad367d5e68055030bf2b099cc650dc9671e2e

SHA256
db806ad07930bed56da1502aacbd7cee9d6d38902b33a2e8e05695c23710713c

SHA512
d358a37271c8ce6444a2f239eeb4be0d951ca4c45820fb6b7e625cefe8105b465af0d0b360c276838c442d32d438963c7731f33081861555f9b33eccaad73957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
f1c746d96d98d5c09e7758f3dd1fe9aa

SHA1
d1795974c460c6a1d3091df278d0d3935f8ac832

SHA256
aab891a29c7c00487353100d2403a2e4a93a6a787c65c80352e4d132b136650f

SHA512
8c5e15ee2b58053fe6748d9336f43c5ec47b09eb354adcdca1eae25f2be023d8bc9b332b2ef2eef638632e24b1f94d61b41401caa84757b04b88b591e0828285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
26cb484e085d706ac3504028caa2e7da

SHA1
220b392fb919eab01de3c34ebd2ed20ff9f19207

SHA256
468ca634a2f75c527759d5169d376f13567571cebd7b3b342169d3503a4a6c42

SHA512
3c0a9c88792538d211bd26dc615447da2f0efb802f92b22ce8534f585754b3da28ef83291590908516a4832afe7a9828d4a646570cc8aca7a9c0a7636e832986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58175b.TMP
Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
275b7631c573c9465671b9f3d1686ce8

SHA1
8ab0d054b4258fcf7cdeb9f2348f4bc5b019e9ad

SHA256
ef9bb8c749e24b21b16ef4ce35db94b534e29516951e3343fea651fb57a5b70e

SHA512
5ff071dfd3312955e5ed2415d53bb77a79671db7b4ace98fae1f8a16cdd7a5b5ca9da84d0ab48fe2876e4fa3cb07ca377eafd927dd801d53616eb32baa78fa7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
72e99e8c945d3115b7202f25785534e4

SHA1
667bf5d3fa6dae0600d611fba56c73bbfbd8339f

SHA256
edc6a223f7b6853f3bac0514d45c538ae2c9caf4657c3ce09fe60499256b176d

SHA512
bff4b209022272dbbbbbd6fa6299bcb53ea2e1b5b9224cd6809caf7f0aa03d4df14297053803a8c660a74ca639252298560448dd7396ae018730a00ccd5390e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
215fbf441bcf72b0b6d18b73773ce51e

SHA1
ac19eedc39edf37f277e4e3108eb0cbf64092de3

SHA256
15f7dc22e13c76f2103d1ae7111ca35f79345b3de970828e2a843a01450a12c3

SHA512
a0d1e7630f3184c9c7c837ef0bb9b24dabc6ce2be52d99a0c0822ffe4f0d33ef5c3e1ad62dc9e38e893c02412dfa1492ede7b5b748aecc52e9fb292f80fdd181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
4KB

MD5
c46e3d70e860d384f6555255d2bc8594

SHA1
44c094a112d5565523cefe8ff25be1016df8bc87

SHA256
4ee2850e75e4b05205b72a05f5a313da62a0186cd33606883adacbbe9859b5fe

SHA512
9eb7d18e0383b33e528f30996003b1b0ba450a750e14a38c8a66ac5ced1350f2fa9f91445c8d991fbedbf383e3328096dd07af57f294358d5a3fa8a6c82099ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
77ae9205ede85d18df8ee1fbd1cc7393

SHA1
30b4c42a8c8f9c0465dcdb345dbe4c81104841e6

SHA256
134910da361871b6239a818fc2346fccd83342b52b68109c20a7902e07c73224

SHA512
27fc8f5e8b06a6dfe2fb32c4d511dd662ef12e8e9f120bdd4dc87fcf0620a715f1b0ed205e246d762dc15cb59b48fd3cd4e925eaf810baef7e2e22b353d2ac60

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5076_1139866538\7b9eea14-c336-4dea-b76f-3ffcaa5e70ea.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5076_1139866538\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\91fc18eb3e2edcd.bin
Filesize
12KB

MD5
1ae76431c30dcc432eb507753888f784

SHA1
749709fe9b43649f471a685b6385decb514e0d12

SHA256
e5f76e0c87bb7a73252dfa635cdf60ccb30b98b48600ded2192252dfb78d967c

SHA512
a6d521af6ff63fdebd1be683e12b18566887d25a08fbbe184be01a9cc5911522901c75805fb8e8f0f619228812846247c6c9ded343b0f810d61163f325a1c205

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
8cac22b211a20142e07dc892b3299dc1

SHA1
048a1e27cc04aacc0aeb2cc0552b35cfb5959fc4

SHA256
4405e0766b34858a18d3a0e9d4e2b26d47c8031044271c5c51c7d505ba0f10b9

SHA512
77ee1c2fd9a4c0966903928f36089c48bcb4508cbd6ee8eef4575c3739eef4d01b34ba9f85ed8ea82084cf28f61f05e92d239d96fa11862ff445b86e674cb700

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
977e256e6da56bb15e38268a29304821

SHA1
8c69ca36eaf8f6ef624ce5c6430d1b65f0d2a0bd

SHA256
332bebd2cfd06cd6d7d0681294378d93c2acd508f7318475614d4b34c25a6331

SHA512
f17e80c5e32f9560e92d50dd43db50a72c42fd780f3ba02c395499ee02281a7bc81c083955538ebec53b656480eb100f113a091cf2d97ca241705f24fd99645a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
01afd6d45e16a72a3ab47942f983e0b7

SHA1
c8a31fbdab9a57d207e329d9cbe38b84c6106662

SHA256
ea4de5c3b93d9be2d493f308835190a78a3a599756201b07ae7cb5900fbab576

SHA512
7c2b556278ef713b09b83cd6821ec2bfc8dc8be9057bf9630a458c5e2edc8b4e2a02be0278b0fea0c8b1f145aee579cb1f72a9d457ee5d31080bf18ab0e64153

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8cff733dd519345005e6e3c67dcbaf47

SHA1
d27c352da029f21d6a759d7c84125490835070f8

SHA256
b767c5dfc0ea6a36a9949b69d7f1042f784fe133283362f5fa4f92740380b849

SHA512
2416a7ffc72988a414ea7483a79af4727a2164d2f638f0d311314e420654c778095030ef6f064bd68d3a98799a7f8796ba81bc818b4cce0eaad558a93fda820a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
80586924555c0df557b3e47d25e0225a

SHA1
8462fbadca080b18d40669e1eeea227f5c596a1f

SHA256
5307254171a89b32955df0385cb2c8579fe8867f2a86d6fab7644c9fd773b2ea

SHA512
9e7508ee8fb316c2c6d4d080e8cb8a68dd36be837819a4952b6c8bf86745b7d4834f870e5647370b087a05db5741b8cfd5d4d53f6099cf86acd110bcd2955d23

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c92743ec32ff6d486e1783e182fef20c

SHA1
b5a337f6125dadfb650241e1610c7e16f0e117f4

SHA256
ec2e48e23cc46c83a9d9349595fbdaebe1d5397b8ca869f816238e9ca2183909

SHA512
11c2894453b5ef8803ea6a2e6e3589df5d68ef3cec5a25c98b017879251a501ea1393cfa0ec1a9517eb3011ca624db7ad7b0717c0ada0bbb4f71f6f5109655f3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
762249399be8d895668604e1a3fbd87e

SHA1
d359516e8d2512111c28688141fa776a7601f2d3

SHA256
9ab8bf06ca56fb31d38186f174a6b2e71f4b51a71504f146690bc6b2b70dfcc0

SHA512
0ef52029d1c1d15f4498dbffdc04228414b06290b952b0e8174de496bc2e10d2ba0332aed221d8e91f60401b66e2591264231b33369ff777638d3151b2c89f40

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
207d1c7d6cdbc6cc611c7ee76f0dcb1b

SHA1
3b95766748d26d667499b33a09d8882c552df70c

SHA256
e2b14b71de79ecdb0a267169cfa9f9e94fc5e180a88fdcf19f71e5caf6314aac

SHA512
ba9bf0a66c21167c2cefa5290efa0adaa46f17c5b1d04c7261dfae710d14476ff5815ec73ea65d1d206bb1e409ed7789b0ba8efb5cbd9764e17eeeca4f021ecd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
86749b3b5f8a83150eec1e7d461bfe01

SHA1
0521fb16ff75b8f53e4f0abe3cf757f4ce17a107

SHA256
32881b3bcbc344dca8ca3ce4f781281d283efb04adbf0fd66422715ac998b299

SHA512
4f79107c57c511e35f26401ee984ef264a6d5ce069b1bf857a79c4db4e3e6347f2306b4c950084d42bf3d1b2539af2257c89efc464a5d607de263128fa503782

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
de0c648c280f3edd5ab2220b631bc986

SHA1
6ff4288704d33b90cab0900392b0b9c58999a070

SHA256
538551f29312e2b53f0a327c7e2f49f915933312e0c43242334ff969527c831f

SHA512
e9daf8c46c8a5cc46d9103db908b085f6a4cac3284228ae273e9df5a075219e71e9c71c1e4f88c93c38fb4fcd513e1c7f11efcbe1f6ed5954a21c4fe041e1082

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e0664bbfef6e4070c4fc99d74fb3c272

SHA1
0adc986af46d5415e3b46431e817fec4e0f15e71

SHA256
2fe9ff30a8be2ca4d70577b56a28f1e7eab630a61cac80a5832b3ba201760b0d

SHA512
b319816980b699390c60990846b5e43e7558217983225d517632cd256ab3069a322f7028241176e2ded30b60948511bc4dc5721bac0fcb7924374ff36e276c4c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
7723f1040d28b28585cfa844f88499df

SHA1
8f02e8e886f75879e219b8665b86c6b432ce37ea

SHA256
c298675f579c0658c5672792f59bb6003d96b931eb7e8de73330b17d8ed12ff5

SHA512
c0e446d6ecfe263d05466da687ff910b86790286f0cabc0ece6fd5f49d3537968b346389e85f6eb7ff4c09e17553e95fdc299e942c631df3ea7a6923a0cc8e9b

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
83e712350a2567fa0daaead9ca6cacc5

SHA1
1c376272d6d014116a4346f187f650c1350e5e45

SHA256
972f6bdafb70ab99c67bedee3f02511cb12f3811974f63faec590e6af875b35a

SHA512
dbca46d2b3627af53dd6921c1991af4cbcd6c0bf2f03b8f3bb6272ca0331b153e789a99f6fe27e3c1e006f57a193ede74db4044551db8792d5eeed8de8baa9a2

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
96f3d554b55096b308fa20613d17c488

SHA1
af76f7253ce19c9fde640cba29dbf8f30135ccdc

SHA256
977fb985fe8f367158bff67073106c8f44ff1536a09c3b4745e169f561afdb85

SHA512
b40e9c9903be59d6596a502faf1f8e5e38f15d991ec8f136f06571a127207236359e8ce2878a0087d6e72a6066631ea63e9cd5e9768219df61696f46bb540333

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c4f27ece4b09af0e9eab40ff8aa5c3d8

SHA1
db9bfd310710c0a163c0fa3cc0e707df9961cba3

SHA256
63d46ae367eee04eed72d29d95ef9dca1d955d13c287b151637e80b7fe51b1dd

SHA512
b9541cec8806d3cad49a3602990c6c3312c4e527cbfc7c6be9fb0488e5cef3bcbe095506b8bcf2cf7a41d69960054e138aec2caaa111326d9f5a95d18e119a8f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5a115bb8bf4c51944b5373281d19483f

SHA1
af9b222645b4f06927388942c80269b7b3f6a25e

SHA256
2b15a855d7101750b78e9a0cf1fca3124e8cbf74eddef5d455068f921f1b932b

SHA512
6972b3bf5ded4f078aec3618812b68de7410be1e7a5ae7044d3ae05371004b1dc14227dea449a6bb3fdb37cd75ac6feac3058a85f6f516b8cbce76bd472eff3f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d65b47f01842cf0084cb1a25d9713daf

SHA1
4e903ea240a82b9d1c3e81d13345e91c810b5920

SHA256
bf0d2fa6ea8777892128b226e269bd40fa8a9e238e3296a0cc3f17dcf1f72494

SHA512
3c97af7dea524574dc98f128f38c0f6d602cfd79b12035558b06163301331f9e661f7ab7e896b83ea6dc096fc1e6c7a7016faba07e2df76b008c4e4817c0a9de

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3ef4108345876f17912381583425e794

SHA1
d1fc3c288259982d94b5d5e18001da75e6eec222

SHA256
05110082cf22caa71fb1b080790673c168b4a2b4522bb12cc5ffaff108645b90

SHA512
0adfe60aef0ac78b346716c7fc9e57ac0af221f6d5b29cb77d1bfdc40e5f2febac9ab4f9c869ab6af96750c232361f4eb40a98364b4526e6ffe7857f315e6c51

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
86aa8ce2cdd0c6bc05061ec8297bdddc

SHA1
3314004fcc6c1e6f10bf4a4cad0ff8fd80b40db6

SHA256
e23f0b705bfa9577c43ed0bcc14fac021d68cf6dff93db8dd66f0115e3506b7b

SHA512
a45626c4d7828d56c40027d055d333fccc32790caa7923b2443beefcd12e5aad3454cd8ff977d61d8c8d91ea45835bb267cbc6cd0b6fe5ac170dd7fe4267c64a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
c91ffd36500afccd8b9204a83b568dbb

SHA1
84e25b40317d8ff29485446065f936df3b82d9a3

SHA256
2d081c2dfc1a5eb5757900cf1450a0646654df33e5510babacc4b88bccfc65db

SHA512
1e195aa99daac47a001714899585d6247a6de2a446706b3f2cb7fd6db97a38fe0c5c44aa4baed6e23941db8e51c8b8b7f9c172dd1bbcac9916f3f803208b4905

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
838dae3a322bb54fcd2556d8d36c2010

SHA1
c97d327147069351f6c1c23f0ff8adc708dbef8f

SHA256
0dd2f1b9190f6ea5ea67f677140d27b02cbdd42b38b98acfe70978f60f29295b

SHA512
5f61858c6ee6bc1811d0a7e55a2e55be9725d9144a169672f1af29c9b81288517724dc2534a516b355159a9dad7245bc0846caa01846a0ea6ee34ede67bce1b4

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
015d9da012a273fac187b2bcc23bd056

SHA1
fb92ca8bba233e354042cae05b63dca6f1227dc5

SHA256
0915d9fc2fb5214b79d6f95a522c041de85b3bf88cd12f6994fb69a5affa41a8

SHA512
da931556acd39c750285fc6121c03953df10073ea2ab4815907efbb32e72ef740e2fd679a6bbd0fab2a80ed93d6ad030db4e912254812ad7ffa913243c52479a

Download Submit
\??\pipe\crashpad_5076_SPDOAELPFJCZSBTJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/488-125-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/488-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1464-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1464-110-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1464-16-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1464-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1780-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1780-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1780-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1780-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1780-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2020-182-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2020-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2020-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2020-51-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2100-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2100-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2100-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2100-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2100-78-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2364-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2364-35-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2364-158-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2364-27-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2532-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2532-287-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3156-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4304-165-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4304-309-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4596-248-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4596-83-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4596-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4596-90-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4636-111-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4636-122-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4636-98-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4772-128-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4772-76-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4772-74-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5200-428-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5200-179-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5208-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5208-967-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5336-435-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5336-183-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5396-444-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5396-975-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5432-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5432-451-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5432-202-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5580-215-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5580-541-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5620-971-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5620-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5684-218-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5684-603-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5928-768-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5928-257-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5980-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5980-997-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5984-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5984-973-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6040-260-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6040-809-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download