070208d7895840a2174905138e9453587232923b22369364a24a4f13faa7c19c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
Size

5.5MB
MD5

a64f5a101715f04615be2f42ccbfc2ed
SHA1

9e8b82b068d359be3e2cf4e262f532e7aee5c03e
SHA256

070208d7895840a2174905138e9453587232923b22369364a24a4f13faa7c19c
SHA512

8e15ba703817caf0e9e61af0fc14ed1c10ff28d037260b66ad0793cb288a77dd880c2768ac6a9497969d8f9b16fc1fb032f6051321398ed5194ee052d9c5266b
SSDEEP

49152:DEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfG:fAI5pAdVJn9tbnR1VgBVmyyD9Ea

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4728	alg.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
3744	fxssvc.exe
2900	elevation_service.exe
2456	elevation_service.exe
4572	maintenanceservice.exe
4452	msdtc.exe
2516	OSE.EXE
1656	PerceptionSimulationService.exe
1976	perfhost.exe
1592	locator.exe
5168	SensorDataService.exe
5272	snmptrap.exe
5348	spectrum.exe
5464	ssh-agent.exe
5624	TieringEngineService.exe
5680	AgentService.exe
5720	vds.exe
5836	vssvc.exe
6012	wbengine.exe
6068	WmiApSrv.exe
4044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e73bcb2b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed726fd0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052aff2f90daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be482efa0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000807be3fa0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009c7c7010eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d140be010eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b784fc0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exechrome.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1548	chrome.exe
1548	chrome.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
3552	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
6820	chrome.exe
6820	chrome.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
5108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1548 chrome.exe
1548 chrome.exe
1548 chrome.exe
1548 chrome.exe

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	772	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
Token: SeAuditPrivilege	3744	fxssvc.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeRestorePrivilege	5624	TieringEngineService.exe
Token: SeManageVolumePrivilege	5624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5680	AgentService.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeBackupPrivilege	5836	vssvc.exe
Token: SeRestorePrivilege	5836	vssvc.exe
Token: SeAuditPrivilege	5836	vssvc.exe
Token: SeBackupPrivilege	6012	wbengine.exe
Token: SeRestorePrivilege	6012	wbengine.exe
Token: SeSecurityPrivilege	6012	wbengine.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: 33	4044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

1548 chrome.exe
1548 chrome.exe
1548 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exechrome.exe

description	pid	process	target process
PID 772 wrote to memory of 3552	772	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
PID 772 wrote to memory of 3552	772	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
PID 772 wrote to memory of 1548	772	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe	chrome.exe
PID 772 wrote to memory of 1548	772	2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe	chrome.exe
PID 1548 wrote to memory of 4196	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4196	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 2672	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 1760	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 1760	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe
PID 1548 wrote to memory of 4364	1548	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_a64f5a101715f04615be2f42ccbfc2ed_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe8b759758,0x7ffe8b759768,0x7ffe8b759778
    3⤵
    PID:4196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:2
    3⤵
    PID:2672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:1
    3⤵
    PID:1364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4356 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:1
    3⤵
    PID:4740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:2136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5216
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x240,0x244,0x248,0x1f8,0x24c,0x7ff767c07688,0x7ff767c07698,0x7ff767c076a8
      4⤵
      PID:6128
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5556
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff767c07688,0x7ff767c07698,0x7ff767c076a8
        5⤵
        
        PID:5972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:5476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:8
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1680 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:1
    3⤵
    PID:6044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2956 --field-trial-handle=2008,i,3662271021512469403,12896288497628395164,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1732

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:6524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
984838ea1820513d3c441d9ad1b33601

SHA1
e53315bbcb1b004c20d622fcf76eaf89579aa783

SHA256
9aaf1a12b7782d4fa22b5146c1c8f7e3f4af435ba4dfac65f7a9d5a5c578a6a6

SHA512
2d0cc0e1095a745717f94d6aa69979e1d02706b22d87b0d3126e463f528804e4fdc0241aa2aa8bbf342dd8599ecbd0b4aec5d4de95fc58b257573a39146349d5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
83a06c2ff16a011775f83d0f4734db60

SHA1
d7330fbe28cbed9bb71902f03671cffd75bb0b6d

SHA256
89dcc32741259252cb6384d6228ce2cbe6acb49b388702f660954585b17ea505

SHA512
25786fe6f25ce30dcd9a8f5a20217d9b2477d5f01549973edbb3aecdc03246b70b6753bd8699baebdc06a4e00f7bc8e5b55de3111609ba2047ae781a645f8c70

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6508c32054dff0ed7e2c43bc9c5923b3

SHA1
a2d6564ab9f17c66e1aafd1b9567d5c43788ef38

SHA256
970ca13d3ca7521c16a6a0e5bccd5193ad4469cdf7799a70954e28964e4acb66

SHA512
58aeba816b9065b987102e2fd9ba1d4d119e4710986a2cc23b72b0584edd5116d9c68917ebf186c55e343d32194300c5c4d072f6307fa5ed3559f4dbc64db87a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ef423134a1f8f5f2570d3590c1445182

SHA1
750b95e7a4d3ac03bf09bd0e67a639df6bad31f4

SHA256
3b59671547baea19c23f9cd5d6d5e94ca205954917e0b1a5701bad3dc84219ae

SHA512
4a6d95ea9ab857ea1181ce65919029082a4b8c16aa2d622a11f7ba1558f4ae53580515b709932fa64cdc6a3c8f76341983ad79ac58d96fef3e1ca71aebf72765

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a56b1aef62c30a25783b44c9f4a88c05

SHA1
a8e80babf54dcc9b77a007afaa6be90cd09301af

SHA256
cbc836e19290a826aa501a6353f40e6e109eced2437f7ab293aff364ddcc1cba

SHA512
75e246f3950d62d57cc9ab6f1150f29cb4ff55bcbc0c4dd19dd48aabf3fa8e0bd22f206a2df35a5a762d3224c6f68e8a4b3a0801151491a5f613b88b25e35376

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5cb2e61b36b72e320c8e4db2c36245be

SHA1
41fa2023ba0c9fd570f7e7ca64df99e9e0248707

SHA256
4053a0a596a1096ee879a9b23ab7250e84a787cf17bba5c418978dc7b3b528a4

SHA512
ab88ce5795004380f646db00478d3facb55f5c85b99a204a9d2504474398bb6ce92f5cea500861c7582c631d390aad238e1783c4fec2307456f9051631aa6b01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
964745ec3cd6d3123e07d95e8b3028f7

SHA1
69cd64f183d16da6a96d75796f88b1b63d172a50

SHA256
1e11f2fa63676e056e1da5e924326bd80d53fbc233949de830b7b3a24995aef2

SHA512
b796a44f804640ed040df8f961bc8e9395ba0cd0e78fd17e80badc4dce728862950f0ccc38aadf46dbbb81971cfc03bbd5605d6c64a5804543699748589a763d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fd65e49298608f7c45b7d17e27e0cf9c

SHA1
19daf5aeeb582e5c1f8b13bc83bc9b8f8c76e81a

SHA256
e4f731fd7904e461e38345212d438d4089f2da2d7c4d1774cb292d27838dfe74

SHA512
6f0c5131c758ee4c6365cbb9d84140378cf3a333828d07f180a35f48825f34ae17d34cf934f21e127b821cbee51a3e8d6b6fedcf6c2299340e15461ae882660d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
931ffdbee3e493c1f20b69e3790ae221

SHA1
88290418ab74bd6ba69e260e192342eb0530bb8b

SHA256
dd83c2ee0b7a3c64f2070cfe77ec24a72d2d295f38c0c867d49ef89da110ecc1

SHA512
7393fad834d4d32637474583830fc97898ccfe072ed819e5d954c9a6d69267515b4ee7ff9f0cb6ed7824473aab1a981b2a9eb79482674566678fc66eb9d5a01e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a14ec9e4a1733f2711c630552facab19

SHA1
152ae3109e126305678483aebd5178ae147b78c6

SHA256
3eb665832716a99cecf75e8f3730278cb80d7881c8caf8f7bb130f9d85ee3e2e

SHA512
3255da50ca13f2babb2e915af8bed7235727ca60a9a17999a3306403b8dd95ba476f365a49c0418ac1b8b8f7c656bd1ca12a018aee0e44950813b859ad3975f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c0e2d8b97014aae2b0b55c77394a63fd

SHA1
0eed31ca98891a4f813d614957571285b246e9a5

SHA256
e06e01e222eec016f87bce2f6ab8bc2b5464468e13dbcfd82176c40133403f90

SHA512
dbdd7354dfd35be79c5aafcc68719c1653a8c3d65bf11fb66749def45531599e3bc12317b3657f9825f2aa422025e812d9a98bda67750c709482f15681426636

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
caef2972bd3ae09002c5fb63add1da23

SHA1
37316d90b5a083a91cbabeb08bdd49100ca8a549

SHA256
020cf7a6f65cdb4c0b4bb2b06d60b26e4156c33a5c732ef65351c6f8291bd87d

SHA512
9d59fe12a88afa519fa4c7ccf6241d7b037eac0763449dda42829b084f60c76f5df42ce675e6afbd0bc1b3daf80620cbba5b0dfb4524d56a3aac68b5ae800b5b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
331097105f6d2b1a4715ac6611829cfc

SHA1
2632c1a5274aa73f64cf78869adf2814c55f028b

SHA256
3ff9dee5c5c7c6bc3d9a6d1483f2752a8a701a136b1228a22233437c3633becf

SHA512
a202b8d4d090a2cd36887685cc226a505eef6654deb36f81f3f86a2b91140a8b7803f48af7856deadfdd57537f9b521e39bc9eac76f3c7436db859910a91255b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c924eb039cfe76a65555099be56cd563

SHA1
302019a98830426e956bc7a5cb9fddd9214df000

SHA256
13aab81f7ccc034bbbed5d7a9173da7901f67017400bc6fdc21f012219c50a09

SHA512
7e04fc00d048f8b23c3468e5afb2fdf6cf05ec8a769f129136f6f3ad01f05dd932c45bc5a7e24b2be128e03b61edfb935c89e0d8ce35595c84eeacf38808c277

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3b08bcaa49190c0d8516e6d6ce378044

SHA1
46d9cb2f0a7345f8a93b6a78094f653600ff338f

SHA256
b4b63e0195f69c1fc10341f4d8b821ae9e2d8d74d02b26c12a33060281008d23

SHA512
841690359e39d9b2242ae53a684595fe20099ea0e469c846d51015155a4abd70b6d927424fb915060e50a0554f94335c8b15dc2ce7dfce681d3cbc0b0e0cfb7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\04c288bb-36e2-4177-9a31-5534e8876d1f.tmp

Filesize
10KB

MD5
5673261ec98d4a10ddd6347b0329e629

SHA1
ebbc683385fbbdc6e0703bf03c33b44c652fc466

SHA256
2e3ceb71631c4a07bdd4f9baf82b481237c3be43c2e77d6698a3d77b991ebd99

SHA512
90c9f1e17441d2e09a3b5be6c82b1dc4acd58780216d0ee7865ac5928670a8429997a6d1ebe55652e5cad77853724a34fb6b1659e3a787ba59871ebe4fada56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7ae5645a65deb7ea56fd6b1718f7a53

SHA1
e56bcdf5bb53768b9c79b3b6ed7a87b00545d669

SHA256
8c5eb4e509d93a2cb1f6542ca96c64f030285314c6c6ae1355d0b95ade872660

SHA512
e3617e84ded0d30c612dc1f0660c139d5efc0b59131a36339e0bca8a4cb5a91daf046bb00edefd15d9bb5424c5da51a4634963a869a02b8d9497d5ec90ad719e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
06e1dfdcb6841a9013f52553c85e04aa

SHA1
d608a8a00ce6bf7c804c0a463e5b1a85b41b09e7

SHA256
33f1ec646e1079f873ee1fc884c42fa1beea51c8d860694bc83f47862f396928

SHA512
6ad36660d3a775ad2f2236f29c35e496012d55fea5d3205a15e55e8f84d6a6bc520060a377b9ece3f377522aa021a704dc6bccfc14d6af67799b939077c8d657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
060722b2c400f57e4dae7bfe7752a3a1

SHA1
053586576ab48b125193db7a5862b4f2b70004ef

SHA256
4a0f30f85c4e786715ff002c7e2d745775c839d9fa294207906784d24185f3f6

SHA512
a250765588bd93f032d9b8ff25fe27905728ee252cabaf043b9b67f78f49642aeae6ffca34a19e583e54509f1b4fdaeb9393f7b24f0b7e40a2206f47838d6037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7ece8264a19b6785fda4f2517e0586eb

SHA1
bc6003831c8c6d093b650368fca7597162603065

SHA256
b6453b8251ab216dc1d4de8d24f8cc80668a898a562d478b69c671e4b2a19ba0

SHA512
4e84cfdcdd5572cd5bcd4a347a716e9f1ffdcdc54b71d1a1dc9a3af1420a2ddf8a3d60d2b0c0bf65d5fc2ab4ab0ba672316106c40a2dcb84f634820ab7c1f5bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f439447fddd7870cfc15538b49fa8e39

SHA1
1b44b50cb203299e4e20fcf2f3e417186d9c897b

SHA256
bed24662cfaea899712c0012c3f12477eacad43659d38ee6badfa4eb37148cbe

SHA512
bfc4d9c758cc83ac2c534b4e0f26ecff13ae3be523fdf37cd8e3cd83c3f6cd8bd0c1a1d9f9aaad3b12fa63be97c160a5817d6946ae153fe65b69bd9b71f4c417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ae16ff6cb78f2359a2734585f52b13b2

SHA1
ff21a8080b61752d66c59d71c18a25b44ff0b90a

SHA256
b7cdabf55e230f4896448071b91e3644752929086695b72369f233783d36b960

SHA512
363f71b6fd9c10ae865fc8596ff334e9bda18a71cb048e8dd4315c5c32a29538a88c601d8770d11014f2d49a4d00575b92e18db59c93f0239d43fd1689d4f4bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5817aa.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
9f4d99ed486266f1f5eb3833e517cfd2

SHA1
7d74a79e2c763be6dcce87f9b3f50fbc54c7fb49

SHA256
9300155aa7f22b817e4c2026475254cc2885deee6f51369897049db96aa1a15d

SHA512
dec32f2843b575e8120c6f9342144751cd7499435d43057d2c5d4bbc5d5bb15d6938827756028f1c46694616751037e75a663eb99a9e9c5020a7d2a29018da29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
16f67ce01ff53cd263bde6c7824f47e7

SHA1
c921c3507ef7ae3d8555d8e507afd7ce9dfb9527

SHA256
7e5971bdef99a449b4b5cc58a83aadaad7e9ab7753e8a313aafcf8a5fe36261a

SHA512
eded47e9de79e02f27b3e3f705fa4c2fb91b917f426e5c12f331be60f2b0cb1927be676a0537dae86ad8a291b8555af1c246cefc0807c51b66bcf16ded1acd98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
a82161ba989c3f733b042484c3a20948

SHA1
2d83af09f0c8abca6ccd4be49ae0ed9f9872f4f1

SHA256
53dd3b81adaa4ad69fc61765dddca1c78ded3b62a44670a79ac96fcbc1a5d679

SHA512
443a5bfed804145ad84e5d2ba3ea4f658928c17d572e2a8dadfb7379eaaacb9fa44f96da2482f720c33785d64894322f24541ff9966a2a39b70035a38ddcfe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
0bce2ba20f8d7402c82f0d244fd1b459

SHA1
61078c5bd6634f57aa14b166867a7dce0f654aa1

SHA256
9044b6572f7fb88ca76e55cdee78993b504ae55d88433d680b2f4e93675a1ec0

SHA512
216451ef1edfc8d4020330ca355f9b7763058ee03d6b6cdd53d58ae2e12231d1fb4690b85735fccca1fc4b1f4f3e6232e45551c527e8e19eb0f504a7eb882f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1548_1988018246\906efeaa-1b71-4cd7-a36f-5d5411f5988e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1548_1988018246\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\4e73bcb2b3e2edcd.bin

Filesize
12KB

MD5
4529d0b6cf4bd1240ca4072fdf625e23

SHA1
da3cbdd2e4a98ec0a5577c58340ae1a87bf2d3cb

SHA256
29340b1b10b91b1ce67ac381e877f92b3e5592320176b003c3817ce3f9f7ba6d

SHA512
05ad24f4e7c5c74aba3f595c4ae3b5e8da7ee266e2b9730c1aeb42b089368cbac9169775fe490853393a4fb3fade0dee8a5d0f2e7cabc5c83fcecdfd3abce022

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f852651c56a75076d7cea967e716d2f3

SHA1
3e6f224cf5dfacd5fa29a74ceb00d14a179ed206

SHA256
64992144fcc7b514c9fc665f0c93c6ae999f04d03f7102f2cc50e75fc5058140

SHA512
7a6968bce0e65d1f72b281b632db16f2e493b95341de74cfb42d6afce6f1eefe9ef807d63cba5df1d602e7788ba6807b858ba717fc1f3f14a337d4f41a66afcc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
515c3ff5f218ff9acf8ff572c8a69415

SHA1
4013c69d1756b6d97a5430623ff57331ed411815

SHA256
743038b68175b6876f3a863aa51fd6657ae00edcb92f9965e461ff4592e0da73

SHA512
b541d71591a7e79e046c0ec66c0269cff6d592cbbb6d559795d3833b96c9c371728ea7b936ef8f39afff4be05b81f538f88967034eb23f63d69c05b09294b848

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2c00e70ddbfb9c5b5ab0f3cf92b78a29

SHA1
f35ae72d215a1dd05fb6942d16aa954dc2e2ce72

SHA256
0141d134d4dda22c5bb7bdaa7bd1ddc6b931e5c0375b2f4ffa398b524577c1c9

SHA512
aa7f22b3ba9c2026affd30266404a35fb683d949bba4897242706c67c17cfce187550096b5df68471b27d9b072b9cdcc5529f65bc6d1a1b8c3bae02992fe0035

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aeeed8f379bc608938f4e82d1cdf26a3

SHA1
4e5224373b75e8be750f9a82c61320c716389623

SHA256
81f827096289bf5760a7fd00832bb1ab7745b2e884fa87b337512e3189e96dd4

SHA512
65ff921a9f2aefbd7fe403f2045557213324fe9a0be16817030eee102a5d380575049d108fd2f9e94f60d4bf4309c59a4685682734689d3c122860a66eb6e888

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f9ec6ed933e7dbc7347eea47b63b833d

SHA1
7995bdd16cf67667275b8be2e0523d762aa8175a

SHA256
f5c18f8dc87b778423a18fb0cfbcc4199eb07d4e3cab185907bcac63c691168c

SHA512
2d5501a59f86aa54c18910db2d425303c8757b47f3b7be916b73fb9be84cae750180befcf6599e14af78e77d54745de9ce00e24876f97dbe21f277f120c1c0f6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a8cceea7240f953bb8fea72066415a92

SHA1
db4e55606f149243a74210d3c9489c241593d019

SHA256
8bf6e1f91ae341d5249e536494882fc752f286458df401fc85831f0e74e385ee

SHA512
5b058bfd5620e2bc1557279ea6daab092ac0f08a28b62d0f46891ac22a68e6b4e048ca2886deff82e35b6056bf2379c482364619f25f60561ef3ac577703ee23

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f0c973acd6002a31418d84f0227b0381

SHA1
9f1823f6d8affb738df061491ca2039b076b603e

SHA256
53e26835ec41fa5e523162319398a6cbaf202a2efbe450342ddee47e7f609183

SHA512
c5adf7675d406dcebd4d0527b27b0a6b003231f36ea14441c3714aac99ea4c1651b379aba47820fa10774277e2dbe4aa5bcf5b0a6e01a3563a7be2a5673bccf4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4022f2b38b94151645656a8c270871c0

SHA1
c31be252bb40f330414d519aeac893d5dbda2e19

SHA256
88bcd24fd8a4b62d86751dfb92e0099dc7fac57c76bb2ff4ba617fc8a35054aa

SHA512
16e5f31f33ae1b65a75bd104ef2a59d1c125488a870c63465405b6c60eb66738e5ec2cdc863234c339b3b380fe293f213dc331d330861f7625b0e258c9062585

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fe5030182df7c52a09f19b3f135631bf

SHA1
7a34db2c55df7ba75909ac4c97d287ff7c80ee6e

SHA256
d5214ac8c93ddfed01e65c8df44004faf98f14d36e8bb0698e71d1bf0dbe3751

SHA512
4e11a0eebb24735379ba2ae5cf9b6860bdb24f26c14227110aed603d415011fdd532265efa7f9a7a349e7e83dff8be598bec97c1e34c7e908798fed4b4444af6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6a47e33b126c943750805d06786e0f2d

SHA1
56a174bdb79171d268de6fd03b0ccea2240ca9e7

SHA256
47400c481ea29d3c8a1e106738fdb38a15ce7b9d0b4ad6571bd86a644c626d68

SHA512
955fa78a4a3e90f67306db44f5cea8fd7e4a29f34606104a7711a7145d7afad3a3ab9e0578628a7ab76677f4e02b7938a22b6a94508fa653ca6de0bcf4417e3a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
063cd9044fcbce3807fc1297855e363e

SHA1
aa49c4d26983a6b99dae9b8aefdc1474c2058db7

SHA256
90391996d784c453f0ec9456031672c3d453256541d61496880546cd5acf9dae

SHA512
9e014c0bc5eab0f7bc3a6de2ef503d06cfb36962a7d7d0cbf30ae44a8e2cda490d7b4d83aa8d3742af461cded03eda7b011d034b02fdb30ec7b00abe414303f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aa48faf4ba2228d00c0112bbb5ec18e2

SHA1
247dbe7b73fd53d5f247a8a5b11b823425eab86b

SHA256
bbedcd176ca3beae1f073fd87abead972f8a84f2818f1ad579b88c04140659aa

SHA512
74521cd17ca813f62a4d7e2691969e9656a5a28f27a77f823a72edf801bbd44d115db992347422eee21fba2b0ea2dc5f891b142ed370c671436d414a11cf3128

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b6977db42bb62f9565b4932462fe0df4

SHA1
222cc96ddf598cb1cdeaa3e8fc0847c538b060df

SHA256
4feaec7e7223e3ba413ade8296709955ecc16aad5147d2ba4ba76e10d2f887fd

SHA512
08c4541b93cdfe277c0f7ff5fee6cdce60d5ac546509140b01e12d0ec64d41e14e35694d63a75666a0e64833058311838be52cf57f4f2aa4d6f3acc24799301c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5435bb66d49cb35f796f73eaf74aab3c

SHA1
b949bcb168fddcee3c5d1bbd0901f537d008891d

SHA256
7410d4d2b3d411f5b7e56bd2d40305534f8688041490a6fdac8551336b44b1ab

SHA512
e31afb969407d12948433cb918acb35c45bae568651a53c155475debbbb0bb56501bba47c7db7f1032472beadedf09d1ce859df2041d2d46113fb1dda6fe3284

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa502dfda752cc51b9b6422adf77b854

SHA1
81378f2538ec19621749d595fc46d5a67db0d54c

SHA256
6ea496467a358f8b73ee8f381a1a2e56b79d107762e42714819fa7bbc7b5d82b

SHA512
39c0ac68f26aaf30a2879128b55e3ec6e69f76504a8bc56674338ca93db7ba4f242184d36cf5d9cffaad4b971e889cab6adf21e814476ccf261e4bcb1f63e39c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f4048e37d9c09bf72f6a74ea090ba9e6

SHA1
1bb9d6d10118f67713bc59f94573a44b47a4b6c4

SHA256
c7704399b0b5bac4d87d8b928933c44122993dd5b2121500945f81029e383ea6

SHA512
000bdbaf399da69b5ce64dcfc594a52cecf3046650c8928ad214078784f1dd0ba1b5d3c8f3e0b407481e41869eb60cec01f1697d705478711514f57577fbfe83

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
281efe3ef09e33fc484ef8915c374e21

SHA1
7111e61f8ea630ebf7e669725e6a6ad9db87624a

SHA256
ce3966749a51e43ef46fb6dd3ccbd814441be6b1b96bc25322a3909c4d30ff65

SHA512
27790199001c22fc111014dce8bfb24d89b1af36331b71e5dd1cb0d147abc4c93e61923a9e8b7188384fefae33997892e5ed9dd107d4977209496207793dcea3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18656508a1bc5b4f268029119f3fdfd3

SHA1
51276fbc8fb45e64a8ae2586d5a2b5ff18da9472

SHA256
b03e8fd8f141e4e500e86962edf74a9ba40dafc700955eda81b9db1eef491d46

SHA512
b2added3fc7d3b577912a46ac62f3654f6ee05a08b2ce2f327ca040dca405e2ad9121e86c7352bc310eb8ac1848cf934ad65ec340a16496ce8fc08bbe6aa3e31

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a4fe7e18bf081874ea95272407514644

SHA1
2688fba4562d9a3391635bee0128ecba623da703

SHA256
931f17ab57a6a4c1553de5d1d8af885d3b2023b961e3ece091b817c528081d82

SHA512
e098bfdb39a9f21d29eaf1594c26b38d3ac5c1b1b437a1ebaf2837b6c6b52e74f4038cf3ae52957d843c9e3b2b3fcc81e97d6c5cccff4df10de62d85d84bf8a5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7a52d8015e5ce75f9cb9ec7036d7d4f9

SHA1
67071f08687a73bae7e6c5d118811d291b428b2a

SHA256
228b643d228495def186a3f99f183d9e41b3d2a941dcddb8e326a1e229d8f0b7

SHA512
e21e242e8f58417582f4791612c4cae32b3810e6b7ccb0ac7139d03dac0e41f8c17972d2ccec5a40697df76d986751ef25d6028829b6b7e371aec6e182faf4a1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
dc9cb668d658987de6f58a77d482d382

SHA1
77dd40bf51943e64cd573b9775f8d78b6975223c

SHA256
532d1e07754eebc055249007ac916f91457c1f26c74abbb8b7832e1b3d084db1

SHA512
852ce728985c7f6854af200082c3a624052c777c3a3cd4a44b6d72ed51f546520dc3dc98157b466e5f62297aef47932e20f857a42313c7c82fc8dc04c5b75387

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2a2628942af8771aa1a0e745bcc59aa2

SHA1
1862a39de39db6457bf284e155e7ee351c0a1fdf

SHA256
864814a2bc5a702fcc96dc9b313411e720ceefee85d75056ac374fe018d65e9b

SHA512
762e19478cc01132e187b768cfe27ff719b22006a263e94051cf195aa5791baf1c4286a90d30b9f29622177e27e8b72b3796d0081bffc73421f5e28797f3c88d

Download Submit
\??\pipe\crashpad_1548_TAJQVXVDTOWOPKVU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/772-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/772-0-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/772-21-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/772-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/772-6-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1592-153-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1592-236-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-125-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1656-123-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1656-216-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1976-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2456-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2456-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2456-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2456-176-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2516-117-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2516-120-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-111-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2900-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2900-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2900-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2900-107-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3552-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3552-16-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3552-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3552-119-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3744-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4044-253-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4044-740-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4452-198-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4452-89-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4572-86-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4572-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4572-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4572-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4572-80-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4728-152-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4728-31-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5108-42-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/5108-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5108-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5168-480-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5168-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5168-252-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5272-168-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5272-431-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5348-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5348-489-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5464-184-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/5464-646-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/5624-195-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5624-665-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5680-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5680-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5720-694-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5720-204-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5836-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5836-698-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6012-700-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6012-229-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6068-717-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/6068-237-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download