a90f6089cdf095f14d92677cdd2a84b09121f92ea00276962e96099d3627e857

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
Size

5.5MB
MD5

3626d2394848cf37d55214d39245f310
SHA1

b084003aeec74f8114111ccec9621b724b7219d7
SHA256

a90f6089cdf095f14d92677cdd2a84b09121f92ea00276962e96099d3627e857
SHA512

b9f3b7f7130706acda07272e46aa4f87924695e001852df2787940f1db7a8f56bce3a4cc17d222ead606316fdcd9df91121f58e2f52f8c56d5325a770a75c890
SSDEEP

49152:sEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf/:aAI5pAdVJn9tbnR1VgBVmZ/1KPpS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
984	alg.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3404	fxssvc.exe
4336	elevation_service.exe
1104	elevation_service.exe
4480	maintenanceservice.exe
4900	msdtc.exe
3768	OSE.EXE
3476	PerceptionSimulationService.exe
456	perfhost.exe
2424	locator.exe
3396	SensorDataService.exe
5256	snmptrap.exe
5332	spectrum.exe
5472	ssh-agent.exe
5596	TieringEngineService.exe
5700	AgentService.exe
5792	vds.exe
5964	vssvc.exe
6068	wbengine.exe
5164	WmiApSrv.exe
5436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

Processes:

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\778f556fb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f67003b07abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008339864007abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce45344107abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd74543d07abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074d5563d07abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fe8c33b07abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6ec774007abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031128d3b07abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bce4b3c07abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a369e13a07abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070489c4207abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000545f524207abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072b07c4007abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exechrome.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
4484	chrome.exe
4484	chrome.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
4664	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
6568	chrome.exe
6568	chrome.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3248	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
Token: SeAuditPrivilege	3404	fxssvc.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeRestorePrivilege	5596	TieringEngineService.exe
Token: SeManageVolumePrivilege	5596	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5700	AgentService.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeBackupPrivilege	5964	vssvc.exe
Token: SeRestorePrivilege	5964	vssvc.exe
Token: SeAuditPrivilege	5964	vssvc.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeBackupPrivilege	6068	wbengine.exe
Token: SeRestorePrivilege	6068	wbengine.exe
Token: SeSecurityPrivilege	6068	wbengine.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: 33	5436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5436	SearchIndexer.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

4484 chrome.exe
4484 chrome.exe
4484 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exechrome.exe

description	pid	process	target process
PID 3248 wrote to memory of 4664	3248	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
PID 3248 wrote to memory of 4664	3248	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
PID 3248 wrote to memory of 4484	3248	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe	chrome.exe
PID 3248 wrote to memory of 4484	3248	2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe	chrome.exe
PID 4484 wrote to memory of 2900	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 2900	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3456	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 844	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 844	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3804	4484	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-20_3626d2394848cf37d55214d39245f310_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2ac,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd50909758,0x7ffd50909768,0x7ffd50909778
3⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:2
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:1
3⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:1
3⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4580 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:1
3⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3964 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:6120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7fa807688,0x7ff7fa807698,0x7ff7fa8076a8
4⤵
PID:5188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7fa807688,0x7ff7fa807698,0x7ff7fa8076a8
5⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:8
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1648 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:1
3⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4672 --field-trial-handle=1904,i,3551291372238953930,2308553713997811665,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5256

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5864

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:6824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
4322c129a95150853df9d5f6345aa8d6

SHA1
329d534f7bdbc5ef34b1dd4ce58f20051a750e72

SHA256
bfe9fdaaa59a288185a407d1509cf4d630c832360b5b8c52ca1ff25ed6adb889

SHA512
164081d6adf1933c1410e0ce346fd0a4339a45a54967c02dbf1a280bbc74fed008f03cf0ed97267b87b9de834e134a81dc5e77bc5361c3478611dfab0dcdcbff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
126fdd4a13c1bd92d5de0d8227ab9d33

SHA1
5b2657af659d7ae8b5fdedc5126fe66642d6c6d4

SHA256
b4da12721720dc9b6eddda6d5dc2f56b73cfc9d4b0fd97645c3619cac44725d2

SHA512
12be9965473b0b33cf7c5ed96e830ce0ed1800540c14a8abc85be351c72e0f308d3dab6e6b66237c443eada896f24fe34006a171388c81f0aed4d9b1f24e790c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
a89e854a0e75c62608d1d2e705d4a68f

SHA1
07997142ab442398d597da5723b020ae92751f62

SHA256
ce7b22bbf291dfb8a07546e9d8eb26214da0eacd3e72b624bb48853a00e5836e

SHA512
f49457e6d27eec8b388ded428805776bac22613bca2fdd1eedceb9290609027081e4656df5ae55799495d8ab08e5ac7f5ee1c49c450f48beb83930b5439e913c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f271c9179deebf626a18df0d8e51f509

SHA1
0067c989bde645975e9b098e1d768d43be62d632

SHA256
a8e37798b0962746f8e37c2812e70de748a4faf4ba0764a5899bfbc65c282aaa

SHA512
b584eb999fb2371ed4b9567e726760b711e2ea1abe40f877eab784682e57a618fdd9801ca48c762e48e3619acca15e80bb8793d39d28534b00bceb18ec8a9926

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7db1906b80a57954dac95ea1211fd7ca

SHA1
559224a3d0a188a2eabf7919be0cd8c4f705fa40

SHA256
d22868a5c14d9129067b3877c4d53720c07c18e06ba820803b4864568f3bc107

SHA512
6b8a63c78f9d87c205ecdc1bf0f05f220bfb367ee321aadb53d8478cbdf14d024b5c1086083f03c3b3fba7c1a8f923278ed1987740b6fbd8e1ccb249859927a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c9a2887d513f2641f3f4a7b476b9339c

SHA1
7a28f803904ae10e7883d0cc67b45629b078f2ac

SHA256
acda121bc42aa14b4d30e55fb06c09699c1f2c07bed4f5865c734b0a9d4a0c49

SHA512
0f42ff3a197b32633eec59815cd2212f9f60ec0a373695abbb3f72aea163edb78cf9d253bba4356af37f6683e213d67f8a081b6ca654330c936de966e554cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
8537aca336eca5728d71df703a316d48

SHA1
9906acd5770a30359f92ddb7ae61121365d77fb9

SHA256
ce70bbeba2e6630f7732e9b7f177231474474e466b5caad4230963d511c92113

SHA512
cfcb8e862aea29ad4c78c2bd6339b4bceeacc818962f7dcc93c7687d963b51a4dba243e89eb5be615092062bac548d8de41b55813789c02a9005c7b4e1bc1a38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d342e3b33bd6952bdcc426e2bf07804f

SHA1
860974badb9830ccaac9b5b2a9c820001941d21e

SHA256
d6b3c74b32e8d5721a173f5469d57b5601af007fd443e6036ad3c10758c5463b

SHA512
40141f7f206c2c4fb67112b23a29399d8c1c0038480cd84d6bbcdd82e653ae63a258b96a392896911c2c4e822db977741ade33115c882373874570aa44eac24b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
55a33f222bc6914612e2ec7b8e70ddee

SHA1
9c2fd2ae5b1bef10d04838d9daa35ee31123efd6

SHA256
96f57075d140ec279a7b3dc72aeeaec2f3a3095f2ce5eea0ed03b5075583ba56

SHA512
963d6bbd359667ed29c5f8c80cba13aa9f9b6476fe6fe879bb9ce6ed2157457079aaaa87160fc6aed80b0a76effce12b04b098e294b61494696d03ba3e3065d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
92941089cc2dc1fc0c1536f05289e69f

SHA1
b5f6b14eb912e7b9d06231f02fd067b28b9fbac3

SHA256
17a5ab238934997905a94deac689621b3a7ce96cb09d9793d87361d7a40c297e

SHA512
3f5df0f4319d2bba71ee822bcc0aca421552be8d43b79611130c96db808fd01e36c358ebcc6171326384daae519d2bdc858d03a34d0228f4440f5cd955c59537

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
10fbbadd983b77675bace577ea48625c

SHA1
c24275d5bacff7d40959abebf36c078faaca6981

SHA256
ba43976043fd31c0197d42b2dce4712fa2b5648d730e001ba3ac9471896c57da

SHA512
2511446f19c31ba259130638d8297292352e572dcc1e3a82f25bf1a7b82984f02657d429d944d8d491781ee3916969f53a6f95541c5cb369dcfc9ae3d7ed3ee9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
b54291ff4027d034a0ab82e8b264bdab

SHA1
6b75ac4123b5adb1d892057c05cc5c5968462a6f

SHA256
382439e1659d367144808205620ce7068cf9dd77b464db47ac384fd2d866e779

SHA512
dc773eda9edf82bdf5d266095b27722955c50581def83cfd49ae8174c33ab50e7d58d8da6970481dc9a6e57e2976e3672964364ef220c6443632623fd3549cee

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
148b66d327af3c1388e13f1a8a9f8e8d

SHA1
7ad7bd568614bccd0d4fafcf4e159399aea6ea2f

SHA256
0463427820a4226916ea3979be54870cdd7091eb60deba67d125395fc106b769

SHA512
b0affad7996421647ad5f6c9fdc0fcecdd7b8378612f5c8976841997e475706c03b398a625352fe28f70d2d46e117e3fd9bb8f046fb88b1f88e53198287b307c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d5f8cadb-9226-4b1b-adf9-0a7a54ec0ba4.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f1f1f04f8c455925df33fde5bc63808d

SHA1
707aa9f5d1b52080f9b68f7acc5e6ca02adac24d

SHA256
91c6bc3b5aa2d21636aca3c575b4488ac921f4e8ff0d259d3b5bbc4e049481a3

SHA512
8de30b7ef6ff930666e6ff8775cfd699b97e013249d65c21721eac7be22ddfd3b652a0e70db3ae31a3658c9d6930346dba4aac9c0d42587c83f6ef2d5f8cb0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f8ae2839ebc39a5cb6d47d3ec92256ba

SHA1
66acfe702eb4870b27dbecbc7a577bfb2d99ccc9

SHA256
40f5cd88b0a3b3b855137fb15b7392dfaa367a690274299114f4e247174bc595

SHA512
c455e274560a8600de59b407e1d1735a3d91a00d420ad9d42f005085d3dcbd271b1400be2f0dd12fe940b06f79ce5dd3619742936a413ce287567556d74edae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
fcbbbadaa69f3bdeb096db377ded36e6

SHA1
12a35b4e8ec2ed21563ad15c23e0a977bd412d20

SHA256
34805ace4297352a749f8ee4dbe009666416727353c7ab5cd18c9e6c166f6165

SHA512
283c1e401248deddfb1e744539da87b4ed0886415c11b6c8cbd642ac940981bfe9ab333f3be244eae86f6685ed1fbdb0a4f63cfd123337c4e08b3a8682e351bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d6bb7774d3a7234c1b819fa7d29c8446

SHA1
33a073f44d7586053f73b700b7b079f7b20877fc

SHA256
107fc33e55cb4d91fe642b48eb680b6e6c9e434e77bdb7f1e791729bd6c52379

SHA512
2e511f952e717cbef5204ddbd83e133bd483727df1a9fcf895dbacdd386b9193b0d51bfe56a15805ac20c99230556a6521114f34bc19d3963526f7ddbc7b50e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
26bcff88c94e1330e239c0d48e91a542

SHA1
ca43a41ec90f0f5994b9202df920510428dabd1d

SHA256
413260787a810cee1ca2b6b516710a81e212210dd6ba3b6406719320b059e472

SHA512
ba4f7234f586b7ce3c46ec5de199d969af2721ce05c2ccc0ec186ec6187cd6eaa87b8570dd99f000e415ac00e4fa3ac6bd6218e1f581ec00361202823f49ead7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
de0d2d0f5b47f9d1fc0f79f007926de2

SHA1
0bf3a254d6ce9b032b9450047ccdf8ff309b8ec0

SHA256
68bdc8b388c3d15146ecb54094b696faaef5643bb952c4e18273d6b1dda5a6f8

SHA512
fc003cd20aa7eca7d5d0154e1d1f700f236aae704b242df47ac91d6355019b4930c95a6146f885d901172d3cfae7fb683907a331626662c4b6999cfc226215e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
270f064d0408c646a9f005c623377691

SHA1
ad99ba97206fc097cf7497479196a16945ca1a89

SHA256
ef95dbc96b3e35e894a79eac390554dbb18abd50bb30c1bbc659bc7f72ddeb27

SHA512
94d64c231db76a88f3806a5dec611696ffbec7eaeee5585675f8f8c060ffdd60d6276f73278a485037a661c1010d099ddacf586d2956e619f2993b3efeb9dc0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe583a93.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
e5f253f8fd7fe38de098ada53387e05e

SHA1
ba2c973b12d371b69684e120f7b8d3635c975550

SHA256
02465dc0f123533f903044f0df7f34a60627afc716244ed2f35b9196eb680ef9

SHA512
d860b975150e22333bf5199b30df81bc7274d271b88108db7bdc7c7ec2f57ab281712ab70a06e14c1fb5a4f5e1dc46be269d46081c61f3c72ee7b1accf3e8ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
97d30049fc6d3acca7c17153d538117f

SHA1
e6e47df5ad28635ce7628a0425287427c175f2ea

SHA256
5fa9032c0e7aa26f839be79051539f2ae0e28cb00fca60cd81533bf047236578

SHA512
a5107b9fec9bccd7ce6da467f4ae067a99507da9320b4d49beec57bc0687bc8caa18009217f0a7d3bc58dd28f709c2fcd0666143528c4569633ad1b28c72ae10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
4e570dc6e2a1a573be6bb912a7386012

SHA1
bdc5d9aa4f8d5a6a9dc694a2ae845e78bb5036b8

SHA256
5015bb4949732bc38f87f3fb6f19845ce5d309e8c9b17faaccbea1ed03be3371

SHA512
e969e3136e12c3f14f609068d48fa8c6c7688e56d2e680da33f2e9521b890cb6974869a614606e3e17fa697c77ba0e361c19cc9b959abcd0e903257bb8143308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
23b604cb3b1c10e6b942d05e3bab2589

SHA1
9b053b0764e2de044ed88d3a56306028f1458cb6

SHA256
22f83c333c55b0b909245dff3db9e612cf7e2cec7431fd530baf334cf17f7ad0

SHA512
5ebbb8dd59f3859c173e678243df88dc729b4825d36be42c9d86048ae0e9bce3e421073e3a70f8be86b37c87fe73a973208609b2566129fa7735b4e188fb98e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
37a27ff050181be6ba5bd99a70991d0a

SHA1
58a10295c7370127f0f18ebfc5f791880956185e

SHA256
840fdbb0e02b833273ec2ecc59e180fd170dbe15293e533c5f7eea59f7824e1e

SHA512
3c489cb302ccdf2fa2ed38882908156b85dd410022797415ab65325bf4cd930e2d49f37a59b024ebacf011cc9491255b7dad4d35e32fab65d951a0a814e7947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4484_1729419508\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4484_1729419508\c2f6d9e0-1ec4-40ff-8769-f3d84c18c7ed.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\778f556fb3e2edcd.bin

Filesize
12KB

MD5
e0b3c26f353c435dd9cf26ce2fdbc3e4

SHA1
cb8fdd0da90d137171b8074b35df735f7e9731e2

SHA256
90763a99b9642109b34354a70fb0ead154cf7f682c57cd4498f4443a0be4d08d

SHA512
b89b76308f7aa58491fd5241056166f23594f2b71d648f6777a22aae06f8d1fa23d034fbeedfbcd510ff90421d4e86663c3a0c85d9f2348322256b896075bbce

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
dbc1c147f71f5b4b50748a4a0a9155bc

SHA1
f6b1070a0012c8780cf65d6974fc2ffbaf50930e

SHA256
8fb7387103f38afd6032953f6e9d1ccda0112c9bb495015650a3f0dab2e1f81a

SHA512
4065d29b30fe763e65e8800afea5f605d3452641a1a496b6157c41b2502199297b7f73c5a208a36aa96d77bb94f7cbab73a634a99b42d87f266e438c27c4274b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9e5e468bd40b0699990099fcc4e2ced5

SHA1
ebbdaa972db8e3e3cf7ba3c284ac32263eee450e

SHA256
1344d476a257a26e75b67c54e805bf277148702c81cfb39e3b58036605eca304

SHA512
969da0ab144e7acd83a25c2680c30c51262885d1c889569d52d49dbe4e5823872f7deb079d7f96b97639935b9b66f64f5e18924c74b62e038549cc1709d629cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
87a938a13257db5f20193b19577e7247

SHA1
09aa2412fafbc17ef8978b40cc308b58e26915f6

SHA256
5538f9727fb0b5a4263c6a65fdbbe741dd015bbd7c14dd4d538da207efa507cc

SHA512
eca3685f152166e99eb5de2fc6c31fae820a330572c0ec55491e6fc08fae795af87706ad5d8afc8edae4a08b43b6c19966a01fd7efa7fe23635667d31305beeb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3cab464aa4934a328c99cabe2f9b99ea

SHA1
1fa0e17e3caf72db2b7d67cf084e534d92e163d5

SHA256
56e1c0e935a3a15a0bc5455f7a4c7f20bbeeee806869ae579fd5c29b695f2240

SHA512
7c501cd3ea59bd1d50fdc9b740a989413e1780e39ff37e43196d7492e7b5cbd175f6417ca97aadc81ef3766c14578ed20324df20cca48245a40ecaa874737951

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8a459485e2c7f76838a4f17280fc1359

SHA1
01d07e888841a45207004417db2ef53d1752b7b5

SHA256
41bb57e8bcebae1cd417c794770b7a18a5cb69ae1306e76f0e84b4b44fb8bffb

SHA512
5c1f86519bca69f0446ad4c16fdcb7bd71a3d6ba0b2ef551410f7326c6091af8997c5904648aba73bb17d9f08ba24a253426a4c2957f04bed0771bf1a6073f3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
8fa00f4878f48d292d6b98dc117563b6

SHA1
33492253f5170117ef2893bc7243f6b9368bb3aa

SHA256
bb9e168639d43b1ee6227417720e95cf8b06d287b346a9b53aebbaacd8308a85

SHA512
e833e2ee618e9e71987b7ab67762855b82586e9b90bcb3feb00a0350cd833b4b856210afce67792209141c8c04b7cb094e1bd65e3e26682976426b42a7c05b94

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
f60a86b734c12c0392e321ed93dd1638

SHA1
670a35902373c168b5561dc364a1844ad1f9cc64

SHA256
7c2776b5fee373ad1fcb425718424baeb6fc13f7e573beca73d45a3b8c08b86c

SHA512
4534f81924fbea5a25eba2e8926741f0dc7dfba5f7e7416d0443af5016c8abb79468c14a357e6699938200c89f9d10d4cfdeba3b115b223ccb13da47d7eefb3c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0246c98ffcf09c20c6bea5892f7511f6

SHA1
5e3017abdfba7535f11d1e1f72b323a0de7069d9

SHA256
c718e0943e259bbd0aacb56cc4b84e305b56137cf91366dc8fd3ed0b812cb86b

SHA512
fdae1a1a11f3324446b239305724a02ac70a6ecebe041db603b39991565c791f48769ccf7265d21a48e75c6ac7fd5dd7a7b33b6e9ca26ce8790164b1c8c3ce26

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a66fe1945ab6363d960c885c2d18d1a4

SHA1
b6e5607a090893179f680b6636c1d4f4ce5a7a09

SHA256
48aeb5e97851c0442f0882578aecbab46bdb9fbda499251f72561a1938e7f91e

SHA512
52c9bfd073c1b8457e88468705e693da25525af9c2f5f632c303c943966f0e68e72f9f3c52bc420bb33bca619d1cede5693cea9f26b83998290310df255869a7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6873fe1449b3b3c739fe6b9870e9abc

SHA1
0e10a5d8c755dd6d979ba4f592d0ea8f53f92475

SHA256
580f68e44da2053534c56a0fd15e10daa487c07fd40e8a19d9a1a711633de6a2

SHA512
c3ae6dee8b167fa82763246fce64f9eb42d629d13d40ce3b508593592877da7a117b4d2d61b79a7be512d204c644c0b71d08529f92b4fe92ac195e947e733af4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
424d9f0cec338a9e2ef97991ca918042

SHA1
c8ca6cce3d6a84bef18c77dd04fb07a459a2f705

SHA256
d424d43070d3b80d2b59c22c7695c3bdf5ec3a1e44ec818c99ef70e592301de8

SHA512
cfffd2f39c3b601ef32961ba10bb6dac6640a59a661b5df558943c6b8913bd44b061287769d8c31190f9c79d5ff9681d3a2f1a181e912cf49a5450f824a56e3f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31139a8dd2edfbc0c7431c468166e438

SHA1
532eb89124b4baeed07e4aadb5098400546b9294

SHA256
b55420d4576c2599e2bede2e038613f31ac63b30b5334915ecd28c95b56c3c28

SHA512
ca7c83b8f8c1ac69a2e137e5e1a9a6126e80a49ac859ff8c8fafaaf4774dcd69e97cda49f1190e8ebf3c757bf42ea1e7ba06336b2f1a8879ef001794b36bf7b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f3fef2152c74eede447409731183fb14

SHA1
aed275e7334aa5aa7889a72150f6bce5fd32df33

SHA256
0009fcaf235c32f31752bc528399f38058bc8c88ed6a216bc623a05ba1258a13

SHA512
22cf5eff2a79176c49cf721c6e044a9f2448cab9e8ed67336d8c4df3eca0ee028711b874ae9fe7032135cd52ea227578ad21fa2fa60c6820b525f41c484031ab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
432fee0029696adff00a9c64f2a43f56

SHA1
9ed58e0e23055d463837248a2ed3d49ad971c354

SHA256
1e458224fed44400a5fdfcddd969f8b036cb75c67be1a73b0450e731d5755c2a

SHA512
6d8c8bf53f8c66e47cdaf3abbaa7c6bae27a43d90c81f01b5a0f6eb2c0f9923f3467d02d823155dae2ac66f8d4ada12c1fe4772e6b398db47db0af1e3b435958

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
b95ad73d53e9fa30d7f5ddd175c193e8

SHA1
b4af50a465a7ab4c537bbd94b6eb437e2f0169e7

SHA256
dbdbc9630a786c00acdaf9d6ec11e87279bf1e033c9583a8229df84760c47352

SHA512
1b4e4bbce697c5f9f1bc87e699e87fc61dcc999be7aee04ef461df4104851d08293d3f9c1d413f38ad1415648d1208eafc9d1d75247a0c2bc98ce2c83b9e9875

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
18d6bd3f9efdca7479a3cd69e2c9b390

SHA1
38550124d4c57f8df2ae304abf30ebe69f781e84

SHA256
5aea7af563a4b42e1d776adcf33aa273b84264f0e7e2d91e9925f1efe329ea2e

SHA512
0c40ac7287101708b94b21b12e36fb4e928205efb9c802e5818e737ea66da7c12d1477b0c98c4e044b89b3f951aca43876539ce410a2de1369b2041db038f243

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d44f165c4d5634801b23b7fd0800f375

SHA1
4e3f613321ee70c81ec3ac8aae2770d488d1ee37

SHA256
a47b0d0e0431b95f9895855cdc85e0aec7699519fe38ab91bb59a975f65b5a28

SHA512
b78dd8b879916e8da64ee4351da1b0905d96e013a4e424539ab6e8b6badbeeea22ea2c2e84d42ac38363591c5114f482ac619b3aa6f19d6913d226f92210b70e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a1f4753d22e0c592e1b76f7f14652f76

SHA1
799a6928aa1bf8435aac0ee44a59f7a2db71b86a

SHA256
e7cdf3ecf15169721737be89b0cc633e960fb29012ada6721ff07261c9ccef35

SHA512
ddad53beaa77f88bce563679b59cdf2cea4b370442531b3618d8abd195b537e03fa170231165b41be931bd642dfe13d379ead244b47abc203493a8ba56acd333

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
922f1e98c25b6f6cf658df19cadaec99

SHA1
fdbca680349b6c320d09062464bf324a90a7d913

SHA256
a11c95a54f9ce55196c4a909830df0f444566a1e65612d32ebe0ad9c22da7d7e

SHA512
f95feefc82aac69c42f7925039fb19b3ae900b00a9d31678cab4013d22d80d8562c816a2a84f004beda26ea108febe527648d7d5651ff60c625b65a918049e19

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
184e09ad1b4b174821935b1b14102fe2

SHA1
2cc439782c88b790a8ff68b0215d1c3f8fcbfa3b

SHA256
91102063c8b6943cc6756efbb681e4a3971923c7578bdd16ed695cb8f46d37cc

SHA512
4d09737c07222c2a66670e784f8025b17021df901a2d27ad2c5acfe6333b0276dba8723698b97ff58b2d168e7cc9c8142b4eac523e5a4c09978d7bb15401a9db

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
023481318dc3addb94fa4193ff45a80e

SHA1
79ae288bcbaa5ce84f32bb3857785d0dd0f25e34

SHA256
d13c5018a8c96f0065af0120b2bd8723883361e0b143567d4f4b03295b035f07

SHA512
1070f758f3b87f67e97a198c229f72c173b176e995b0385e512c2df9ea6dfad9d653628ff666a6671db10f56ca9566c68e5b201eada787ef9bd01ae8d3bed16d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a3ff972c05afa7115c75f567f90a6ff2

SHA1
0dad1f180b691964d4729beaf52e1074c5988197

SHA256
3b2876b2cc744d2868d2245ef82683c8cffe3d997e6480611f613d66f6786114

SHA512
504c5f6976155ceb288c0a4220eeb36e6db3b04474745c4f720e10488c914cda0d244b2938348b380895c4945a297196c2ba0e5f3fc8353c7dba13b820acbaf1

Download Submit
\??\pipe\crashpad_4484_ZAOHPGKGAZGNTZLK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-133-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/456-229-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/984-148-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/984-29-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1104-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1104-68-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1104-178-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1104-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2424-150-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2424-250-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3248-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3248-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3248-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3248-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3248-25-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3396-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3404-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3476-218-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/3476-106-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/3476-107-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3768-98-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3768-97-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3768-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3768-214-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3800-43-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3800-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3800-41-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4336-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4336-137-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4336-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4336-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4480-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4480-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4480-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4480-83-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4664-19-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4664-13-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4664-132-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4664-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4900-89-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/5164-230-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5164-871-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5256-492-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/5256-159-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/5332-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5332-527-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5436-251-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5436-891-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5472-189-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5472-674-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5596-199-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/5700-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5792-202-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5792-728-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5964-215-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5964-738-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6068-219-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6068-859-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download