b770983eb4e6edf112d09198d5857bbed0ac42bfa6ccba166c303c4eedafe4aa

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
Size

5.5MB
MD5

c2656eaa095d854ce980ee7e147efc8b
SHA1

7b1ef2f5b146528c8b08282ecdc84b494b53276a
SHA256

b770983eb4e6edf112d09198d5857bbed0ac42bfa6ccba166c303c4eedafe4aa
SHA512

b9945a4e2d58ba48eb4784d46c06edaf315cb64aa3b3956aaa4de30d342eee14003a085222d6dcadbf8cf40a74664b92b96a25e5b235926693f6783e8d8e9fd4
SSDEEP

49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfO:2AI5pAdVJn9tbnR1VgBVmA3C6Vp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2324	alg.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
3156	fxssvc.exe
3656	elevation_service.exe
1212	maintenanceservice.exe
3976	msdtc.exe
4248	OSE.EXE
5200	PerceptionSimulationService.exe
5448	perfhost.exe
5224	locator.exe
5296	SensorDataService.exe
5340	snmptrap.exe
5408	spectrum.exe
5728	ssh-agent.exe
5844	TieringEngineService.exe
5936	AgentService.exe
6028	vds.exe
6112	vssvc.exe
5772	wbengine.exe
2132	WmiApSrv.exe
1708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\64417fa6b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccdca043f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000144aab42f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c985f44f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcc02b46f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8be8544f8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007e6e642f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exechrome.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3768	chrome.exe
3768	chrome.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
768	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
2940	chrome.exe
2940	chrome.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe
5116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3768 chrome.exe
3768 chrome.exe
3768 chrome.exe
3768 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exechrome.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4480	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeAuditPrivilege	3156	fxssvc.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeRestorePrivilege	5844	TieringEngineService.exe
Token: SeManageVolumePrivilege	5844	TieringEngineService.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5936	AgentService.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeBackupPrivilege	6112	vssvc.exe
Token: SeRestorePrivilege	6112	vssvc.exe
Token: SeAuditPrivilege	6112	vssvc.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeBackupPrivilege	5772	wbengine.exe
Token: SeRestorePrivilege	5772	wbengine.exe
Token: SeSecurityPrivilege	5772	wbengine.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: 33	1708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

3768 chrome.exe
3768 chrome.exe
3768 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exechrome.exe

description	pid	process	target process
PID 4480 wrote to memory of 768	4480	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
PID 4480 wrote to memory of 768	4480	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
PID 4480 wrote to memory of 3768	4480	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe	chrome.exe
PID 4480 wrote to memory of 3768	4480	2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe	chrome.exe
PID 3768 wrote to memory of 4492	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 4492	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1992	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 436	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 436	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe
PID 3768 wrote to memory of 1884	3768	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c2656eaa095d854ce980ee7e147efc8b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06949758,0x7ffa06949768,0x7ffa06949778
3⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:2
3⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:1
3⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:1
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4704 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:1
3⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:4208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5392

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff78d6d7688,0x7ff78d6d7698,0x7ff78d6d76a8
4⤵
PID:5468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff78d6d7688,0x7ff78d6d7698,0x7ff78d6d76a8
5⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:8
3⤵
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4364 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:1
3⤵
PID:6252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3920 --field-trial-handle=1876,i,1837266340705924100,7506252085414589412,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5448

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6492

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:6532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:5792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
eb4f9af8bc25edfa8d6498a5e21bb8e9

SHA1
c34c7128ae7a7945533b3c12a344e4bc557a07db

SHA256
0342312f0dbd461286d0c60891f5c38a17af40a2760074ad066dac0dbe717c33

SHA512
79744411c7425cc2cbad10db582ae4d8cc396902003395b420decc0d5c1a683cfae0964620ffed4ab011c4a0066b64813b0541fd23a68f373ec55696e472cfad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
d87a7be41cddd16019676285af626f0a

SHA1
5b6f736b765f875c4adb77a8ae405354942508d2

SHA256
84e9e3afaa22845f5ac18733685411954bf1b6c985540cb5d8717fcfedf64462

SHA512
8e9b019e94446496695c2429d66616b92b04029afa5a25fcb403f2b98bf70900d7d7f6673afa2f4fc0eaf4591558ac19c9b6a93380821fafb8934e7d570b63e7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
1d0d05e023eea6be0c7ee18d2a6feedc

SHA1
78020602367cdb4602d4935ef2944ce3bc881b4a

SHA256
0e92023bf4a77c4a874706e691340628a823bb1a28f7de603ffeccb4808387c3

SHA512
69d3d2f8101461e7c1ae507868d943928a73bb1cf8fc674caf5dc8db8b1a87c7054c96f7e2277fe2874f184a1d01e7f05544e918e36947f513769d6a73582554

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c97f40f98f684bdb38e6035f1557bc6b

SHA1
2593606b35d28c95c3a1588c0dd6fc60e7c30c8b

SHA256
2779cd8a8b66fec24affe0c38cd6e7de6e7f76e86662bd121f33c0b66eedb295

SHA512
1e362a5def278e9ca2b6c81dee122c7c6e889c955d90bcfa664e01c1fbe5e899e1d291967398deafd69eab74250c49849287cf475b25e66c94ea6cfff04f9184

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
215cc864a1c42033d1a48e4c090b6bb4

SHA1
797a5f7a46f0d92ffc0a4034105ddb0f625b279f

SHA256
a901ce2b5ab718b4cbc445520fec13369adddf4555152ec2444463617f1d07ab

SHA512
0bac12eb82d4f77fa8edaa2b37da55b1cd58ecd57f8d7672111a32d566a669b86f438e7fdd3930f0ac90a0ca005b946be97d9a564907bfe75065baaee59075c7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
afebb4b926ece7205c03341f166b0d6b

SHA1
fc9b6a83766900b7677b53ed15a0b76cbe303ed9

SHA256
9b75c9ff60074a4bdcee45e2d5ab5bb236bb366144fd181f56bc2ff92b177cec

SHA512
48a347c65fa2bab6f83ecd106a49ba3a2155d37d9422fec356da7e550ebddc481c8f5d0f3ed5e768e5cda705f10b6e15c2124c9f1314a05234a9e365b975d236

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
d8b15884775fc570484a45953c4d5cd5

SHA1
342c399d7c6fc5109eb047a548d1738449d9fa4d

SHA256
295131be9a95a0ada74932aa50b8710f0fba0f4deeedca2ae37b5f4bd2cf986c

SHA512
7eca4dc8d3f85fa986adefa63b71157a8f0625c3e8195910ff22219c9fb79b6ad88e328f051a74befddb7e9ac681f7d7956e2bbd222be749cd0f641a442c3f0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5b871587847c5b41b2373e0797caa404

SHA1
94c0f21e8fa028e98000300b21b82767bb6924e0

SHA256
e9a5235c9e08f721aac715bd3949a8282c69b65b1c05d3c07c3a661441a30b97

SHA512
58730e99f425207a1c084cbeed49db79ace34c948412ef7b91f7b2b4c3ec3f65f0a5914329320dea01af173e3c1bb5604e0eedb7743de9e32bcaca7f75970999

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
74ce4b816d0e1113344da3a0da81af43

SHA1
5a9b6e9c98cb4db04c6e1a812a808f79b0d10dd5

SHA256
df84fb85595ca7c15bdef007fef8c01ccf92da8471a6a150fb592b44989229cb

SHA512
d7a26f19ebaccb8e355c498873ec4b9b7aea87eff071cfee5c9ccc607c4c727280cbdab7d4fa02439a8459928a531075d2c95ef4c7838f6a1ea8431ce400c973

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
67907785495c12a74e55d20db6f9efd4

SHA1
bb0ba2f4c63ca00539a00d514c760ba5e22a98df

SHA256
1d4c19a471c3c3f3dc3370fd4cd836201d09281bfb4fb2ea4b7ba127b62fac20

SHA512
87812f206b6ef00e385b4e144c307266b52a766d8fdc13a91c8f7bc4660a3f1c7bb2856c50068ed050d405b77ba62a9e6a7bfe4a608714bd61521dac87d94481

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
118249f944040fd923c9b3b8336e1608

SHA1
92cc30d306ee3d2fd001088293333a2534c9934b

SHA256
eca2d00d46effd1c430ccbf1aa2b1bf59e27670a80b7b57c90c20af46e912460

SHA512
9ad5f8f5c1c00b9a7b7ef3e475666b5b14ed7582b124654d2146d29a4a1e4ede890c9e720809cc54fb9b9c3e697f56dd6ff5bc82d907052d90e07783a7fad660

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
2e5ab44b2f748208e7edaa94bd33fb6d

SHA1
f0f88747e004e2c9a864238de8565b03e745753b

SHA256
abaab43b4cf376cc2707bc7110bfce897cf633854137e91e17a3c76a2a1712dd

SHA512
ab867766441828ef409de1119a375fb0b759fc3582b083251efbdad50a53f76deb0e78076575d243e8fbc1be3fb1224c7b927430bad3c306858d33de415b9efd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
d68b48509accb6d03b1b9301d655972c

SHA1
170823d5dee5421992e3d676ac59b6a71e23db5c

SHA256
595bdf9248d52b229fac84be2936346d47d7c0cad1e3e6faf11a00f5f98d0a5c

SHA512
4844f59a8654d2768d0353119239301414d08e0eadd041d8d5ccb09c9cd35cc9a77166622beac6e628e06b651559989f2756c25edb7444a8cd931ccdb5a3375e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\de81d134-7f83-4135-841e-7fb38ea70de8.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f0bc2752dc88152e6fa661c315486433

SHA1
72101a011c23cb3e4f08c6a6e79e3802cff3aa43

SHA256
b890c8b9cbf273fb216a50ae073947b8ebb333ecbede0fbb43f49a89722cd848

SHA512
59cc0e0b946d8000c0dc3f4d1cfb226c39ce835792ec146dab347321a5507ceb7d0703aa5688fe5dea0c6b80959ed5242789a10ee7dca9b1d876cde9e692841b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a645be0ac2e059bb3a02ffc78ef31e45

SHA1
31bdce2ff710115fc43b4bd892a96cf96280e82f

SHA256
5f8936a4a6aa32f7e3138e79f9dacfcb67cecb8ca1489eeacab9ad5d8f5f7676

SHA512
dd89d14a4f15d4787e275cf628648184f9a6f32706bbee6036737b29bdac4b96700e9b013b6b29ac2338f462a2fa4b9ed59040f6907ef3f2da1959c6a557dff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
a8aaf45d557e7196115efad56605ddf2

SHA1
1b1b0900d04d46ca4650198922f984d41778b5cd

SHA256
7617363951b6ce8786a58571eea23aba2cd1e908b187e3fba17fef4b12a89ae5

SHA512
f15e2627b567af45b311d3d12aae0eab8e4a316cc934c1a4fed44308dad2f7d3c1241265203d35e00bfd63beb076870c2334ea0c5b8a9343d666dc265a6eb01a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
694f912b96438b426b1e958e2efa909b

SHA1
2d318b43567c5833f84b16f7cb1e4617949d604b

SHA256
434ffbc2aa32da8a625029db562178abc14963a7f656387547f4341e349edc5b

SHA512
f85f2dc989550d164608884bdbaa648b1868263430b9e9c079b298a052037355d7b1dbd276173d50f4b28b974dc2c381f1c97f1e13594e444bcbacf576befca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
893e14f12a21a4fb7b82be3998ccdf5d

SHA1
119c55ffb5a50fe11dee9f7fc48809d0b22ea68b

SHA256
78f41f65f6ef210897ef2152a45012017a416ed667af1f9a4239923d072e61f2

SHA512
4183ddb3d1232c08415840895c51e18f29ef892dfec802ce6532fd5c60b8cf51f2e36e97d65234660f90fcd4b2879ee506f7ada5fef1532f91b8e2cc7f4ff707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
ff1d814acaddbc500e9472b4ecf4c70a

SHA1
de20bd995918dc37bc4642d5cfea7a48c939166f

SHA256
cef2b4ed2f120dcdf560c3f61b92fe5c24995a7744182d7f9e64ab6de1e9b12b

SHA512
862308d3bf1a1e2949fa9e70f8fa9153f800d2472ef942880cddf1280f804bd87ce1cfe2e6d689171728912e8ef47b411d83a713b384fa65942bf9c0b3861f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581cca.TMP
Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
169c59147130bb58ea8d35d78289c85b

SHA1
cb476010ae3b820092908020890fbafec5d9ce77

SHA256
17267289009a1189346107db31399a0f2b308e04a28e0dbb6cd1ea6572c24b55

SHA512
246ac6923a1780fec5dbc1ad32861e2ca795bc34e32f52e90f3ba9340d044e3fc5dd0d310530786167aae5cefa50065a529982d29c220dbd9f099fa948472d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
862fbe2251f798155941ff9db674b817

SHA1
349dbef3e731db5b37dd8ebcd17e7c5dea27e785

SHA256
ba6d1b411b638f4349ebc5abb5df0ab12328932a5d5a5de9bd6cb7220b739405

SHA512
1f8de14c413577ef8b8b8531761b01e4ef969b965710cdd328d2ebc48d72f4995d3ba981540fa52d1b08b2470b175ce7f0749a8d3384ee12eefca737c584cac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d6ac7591-d242-4e80-b9fb-542cf046076d.tmp
Filesize
4KB

MD5
953b70abff5ceaad7ae6b40b1f033948

SHA1
c33dbde50459683be24b6c6ffbafea27a68fe05a

SHA256
16fedd85f9194275baa76279af36b0b8880404b4ff0ae67dfefd3b90e4c72386

SHA512
66001c7b2057193020b8505a96a614d6e83922daac54d98ee47e0c65daefa27e131450f1537df6e96fc431e1a02049c67de8f908c200a35f0b627e1d12fc57ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
268KB

MD5
d0e8b57b5d47bbd905999708b59caebc

SHA1
065ed3b29f6ec898a7a9b35f4d877ccc5febf428

SHA256
21449628ccf6eedb40560fba1e2d116bba5a1fbd51eb30d6a09e62d6bb9812fa

SHA512
31b48238b91adc3cdf5323a44fcee86fd70790ac463b2c64c8ce962c0ecc22891458cd99bb9022bd703561886dfa1d55f0b301dade86a3223b45a99b902a8434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
4KB

MD5
91f23c7543facf7100389b122582ca76

SHA1
0c968b969d62f55928b2363233b728a48c9a5a88

SHA256
499942fcc44c7844a73d36f758a1010094af5feae2cad74311e858758ccc2b98

SHA512
52e6726a98115f680d6db58d85787c9cd1a25612981239b82b47885d4c0e82e85ba7c890c077474a8348abe917e0d232ad9bd3d2ab119c4a238e1863f25140eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
4aa3fc49f523932bb3d4c3dc7b85ed89

SHA1
221a6c2835d7fab16e8aa8975363d3388803d830

SHA256
f49a77e652a736187550a9224d784dfe2115164f653aab6403df87f82e160ab9

SHA512
84fc053038c60c75a494dd9e4d8e2fa025da1a813f51ec5d08c98ac93d50ea820c6058baabdcb7981b832990c1bb469f4147ea60809b8fc16dd7b4fef1e00c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3768_725967890\50cdf7b6-def7-47c7-b325-3645995edd4e.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3768_725967890\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\64417fa6b3e2edcd.bin
Filesize
12KB

MD5
f6843c250e1ca09b45b1d7d5ec56c54b

SHA1
aceba355ec8621f13f90ac2b5cfac8e8e1bfbce3

SHA256
3eeb7dfb0e72792cd58464dd208ea574afb7511ec36d0ba39453f04476fbf7a7

SHA512
082e82f5c8ef5d60cba6ba2bc3b7442abcbb8ee3275b85c421564ef62e47b80227aba08a7b9638ba3bf994114da228a857149e64fe2bdc339195612f64da93d1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
c2df642530e09826b91d159b85f3ab85

SHA1
5e24bb255e7a583b1a35f18c55fe6d3ee2895f65

SHA256
0a70d9aa29ae719fc735a6d1b0bb268766f437c7187c64da073c644f5e424cca

SHA512
83b52643f51a2b49176d81a5e67520ac43f394ee76436e74af01f1204647b429853f81f6b39be178c72624ae524457155b93aa0665cceecc76c4b6f07c96e2fa

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b25de3ae682d4e723dae29cf7e055b0e

SHA1
60fb343cad51f3082c3338fff0c5277b6da175b4

SHA256
c74ff78c59e4421738d622196ca4f3c8932ff5ed728a22f00c35efe849cfc1e9

SHA512
e08ded5664be9210b2797bd2ce3905f36aebf25e83da3c9c82638639d941cde381b3e90adb2ad87ee58830df9e9a50d796418c3c943910d26d6d4d1c8a6c5bd5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
81ff3c23f4d2b03c400a3970b6422aa4

SHA1
f8291005cde058ed26045a389d5dddf02ac24074

SHA256
65d58c2b85e0954e16e4e83e3fd7ec8759fa7021740f83d2cf6c2ffdc715d06c

SHA512
0bea986c91b4d7b2e26a61b72c3dac4b427163f428484e9d957d6804f1729d63ff7f69662144b867668c1f3020248ea61250b78168dacb7ae2c3d54dec5e1831

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a47247d65c047e608dbfd938be863071

SHA1
e1a05652f293ac876d3662b5d3481b76f3212738

SHA256
7a0b06c19f18b2d6924fff090099388a19decc340c79c083b8c834dfba7f7384

SHA512
6466f56c05a457860fa2b691197aaaed7939bb9f7940b15dd50e87fc6700c9f1c21f596b826d540d06c531d97fa45bce6e0dd9e0a2f01cf1fc643d4ee7fff961

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
747f2103143e25d112dcb87a043b8135

SHA1
6d146bcdb2ffc04114ccfd389e2f5926e36b8ef9

SHA256
efd6f41244e26b060df88942268e90f742c8902655012142cbbb42e003191f18

SHA512
25528184f3271cd4c8181b112f82dd3508a9ff261106ee6cc93b1295a4a900046a8e0c3a0c7146985313a3d8848044aa08ea94466f045b50abb34a5b7c34b631

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
7e29b74e67d398383c892d1439489a16

SHA1
462f33d259ee5d7ea33fc73bbb8461a2e85663c3

SHA256
88f531ebc4e7d3fa6cd84f9079e637700af71d2b69a5f551eeab599866657e5a

SHA512
45d02ae57f98b50eadba9d51a5418fceeda24179cb18826d18c211bb4816a5eda911f18119b4513d669b96f3f615e46f6fa347f038692daa138b5f67808787bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
ac38b69a183329b2298c73346520d31c

SHA1
f656cf3d88f9266a5d796255a1eee2a5f4d92eb0

SHA256
b79f6824de5c69ff20ab5cb1934ef54b6192232c11a568b7729c7a47f5d1ce93

SHA512
c0f692b9ebd6f68bc7f265ce6c76040356ddc947fda7c630a45705cf49a90f04dda0733fa459ebac2bd0dfde0e29fd200a8db724321e257028d3ca33bed7a4af

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7cf0eac7ba3bd4beb29885b018dd117b

SHA1
8c40ae589c177e50a7b3088e485a015341c3aeed

SHA256
466c8b991c081118b6596c047de768cc8c807886b6e8c37cf5eee8f5f294696b

SHA512
081fcc02aaca519b8d4d23fc806d7541242a09b73b5a771ab17709bb9dfb0e75a5cf729137696b266362b4989de073d0946e2b78bc8a82a3e34e6c217b73fa1f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cf7dad281eced1051f1147b7c1879ba8

SHA1
be766319ce372bfc4c617630c23e4b9e8992ed9c

SHA256
f06e06500f902404cd9407748b2e199b13df7d550403344b94354f9d2372b570

SHA512
b16fcd51ce2397e77870f5d94690b52bc1fcd350d8e9302a2ab73ff5ad4e20f97562cba2e4f65a691e4fdc98444378b9bc1350800c06a4237d33d9b74a0d522f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
9c0876ba3a52f4df8e2865871485a8d8

SHA1
478e93699d2c8d931fcc8521e4567b23e6adb579

SHA256
6eb0e8d42cd81951a9ab5930f7ea0fcd3b7634b1270654114b30ed66303300d2

SHA512
4e2ddf3a1004c7543dd77648cbde887cf2bb32003011e660eee6cab46e6a72eebfd280c21596b1ab55c2fdd9726efcb0853c2cf7c345a4b7098de61eda2b124d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
b4c289df41747938f073948723565f0f

SHA1
4f26165c1d4f3a204fe29e21c1005f1f67e02902

SHA256
aeb907b91553fd672a65bb39681d78dc00239e7e614a8c622bbfd7b18d91f84d

SHA512
7a737d86deea7fb86999e22326c133619f40ba605e5852a03a002cd40dc8a646af8df2cb06e2a57e704fe2f6b68f0e3953a1d97a96d749528970f29b9c8edf36

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
91cf00d177fc036f1636bc331d23a168

SHA1
34e91b30175c80f4f861bfffc78646b27c58f8da

SHA256
d2f1a5f82877fe8e0ea5aed98863e8737e7960bce8821c5f0e5794cd16edd35b

SHA512
e77473177570c610d905afaf1ba582980b05d3992be04e41580aa93970f030984030de0d979eaf36f60626ddb95abdcbe0335c57e22c0a61bb7846dcdf01203b

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
2ac9e13bdcdaa002db0aa9bd93d2f398

SHA1
41fe7d94bb9a99073e8c07df83f6ce205a55f2d0

SHA256
480430fdf22b6e601ccc22e57a77ce4ed7a6194c5736211f98ab34b855e9efc0

SHA512
eeaa8ce76900f18736a2f2f2800f59b8c1a24774f6f706c6762d27e0727601a8aecb5c6c990dd5d1787948d85615fd56e02061b32911b78a26cf06d542a10445

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
69940a8f1955c179d9dec384bedc5a84

SHA1
77c55be3bf16e52c9637776732993718db413954

SHA256
e2266565db9ea612a7cc4b553d16cd400d222331f044cf60c372f0ac8e20ca87

SHA512
c5b6f1ffc6d58f2b36a2640626790985d071b51b1364e5b6e7951bf7f26cb8786e98cfb882d96f2abd68f580e8f88029905cc6f9d57986fe9055108b3c941665

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
6164dc4bf25d7394d3b0fcc3434f9600

SHA1
682c9a5fee504db844a748c21b3c0690741ad525

SHA256
c9d7a7dd5a26034f757c7807e42cc1c9c4ad043508d89d6924ed13242b199557

SHA512
c5f3de06b4cea29b72fc8baf642fc876a06e8a03b9706d034c64317d09d746f3a1964743b1f27954531a47e7f49e26cc1ab1a43d827e80cca319bb128e9f5130

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d4846238bfce28eb315bb8c59a40801b

SHA1
9ce7bfc013366fa82df6e8f1bc019b67376e02b6

SHA256
40242797ca84ea5ae7fbeb54c5998f5ec63ca3e061af284431bbf0c590a1f2b7

SHA512
4b69eb1d0019cf57d78ec81554b6fcb5c3fb6debf843569b386a0707f95ea726daea5a8c986a8e9eed520c33d2ac9370e2f2055c5b09ce1b650b34378fbd917a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
d4e3d216e662989e80afc5f4370b072b

SHA1
c6274c3d7ea441e3ff79e29f4d6493abbd7a0def

SHA256
c54ae2e2befa16355849fae979184dce32b78eafa935c6fc44a76558603e0fee

SHA512
a83d1fd12312cbc163fd538431ae828fd43b0f81422b9f9c949820aab162c350f31df8bb8987b07f1a8138cd7001aab6630d9822390816ffa8ed119b6826be44

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ffe95626727547a4eb73e29895f8e869

SHA1
c58beb41024041c07c6b3aa9ef4b9dfe519e87ad

SHA256
96bee0d71fea9b0fc6bf9fd240493c1b01691d7a9f70f9d5b59d4336786d6c1b

SHA512
d96c5b7587e3bdac7af70037e3339df60e5f942c47de65faff27a590c831f460b63d96d8fea557a9f732f769c889e6743b5b42779de362b124732e7952536559

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
e278c9d8a97ed9ff0f6fe736a41be685

SHA1
3b321018c60a1042fe6b590bc309500199f74293

SHA256
783a18a900efcedec5682f0c1031666b3aa34ff323a7c0d8f22a3591ae041c60

SHA512
eaf321449f7f24b84f1294a88c2034e97b7d461c355723a1ad3e62ecf2af160fdf58ccae4c9ee315505ff43f738288b7d447c0e9583023851dc310c6f4e79d6c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
6040aa827933be46213693006dd1d196

SHA1
513efbe8a1b4985c9bf5c9a4d245ba178cf4033e

SHA256
370915721c975c3cc34245808962b4009290355f5400a7a817aab04523736729

SHA512
6c0ece80736844d101a35357bf5873dd7f3230348db18a18a362f294bb5f367e946d9afda6b6754e2807c9b834258d1c32205dee121e3ebda2be00f302b85a04

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
e621bdfbc2a71849806e00e5da2949c1

SHA1
9f391dee600bc1b929e0a40abefa539cd3f0ba3b

SHA256
9930dcaa34b766030150a5a50dc6fbfee77c865f6300832b9eef698532bcb9e6

SHA512
098b5dce67ad07d810a5659bfbab5f978ff72828164debc09213d44c24ca1660108ad66cd2e9377ada3696c8b4438ab75d6b4e5b412ff021480fd284393fb001

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
865cb6d13d831628b111abd1c95a22d7

SHA1
02a46adabd1e6b90b2ecce565424c18db4e9c641

SHA256
c41d18dc0733104e5c44d2baede76caed3cfd77fc69f6242cf20e80c673dbb74

SHA512
145a1cc0d9a5350fef43b61cfd46409812838c01729288c435618edb57e9f02d08b481bad48ee78d127f1c14106cb3afcc6b871c7d1de000c4a7f53c1ddc875d

Download Submit
\??\pipe\crashpad_3768_TRFJHSXBWKDDNOLP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/768-16-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/768-96-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/768-10-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/768-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1212-78-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1212-89-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1212-91-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1212-86-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1212-84-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1708-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1708-881-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2132-355-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2132-867-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2324-25-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2324-171-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3156-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3656-311-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3656-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3656-73-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3656-75-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3976-331-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3976-97-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4248-126-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4248-125-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4248-118-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4248-336-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4480-21-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4480-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4480-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4480-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4480-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5116-37-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5116-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5116-36-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5116-285-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5200-142-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5200-345-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5200-133-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5200-136-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5224-286-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5224-354-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5296-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5296-363-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5296-567-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5340-296-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5340-543-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/5408-299-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5408-589-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5448-172-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5448-276-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/5448-349-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5728-654-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5728-320-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5772-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5772-864-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5844-328-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/5844-698-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/5936-334-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5936-332-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6028-337-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6028-832-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6112-346-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6112-852-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download