39f437782a4476430f0c652e7f7e3012c2273ee71c31193e0bb87c3770d96373

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 07:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
Size

5.5MB
MD5

8debdbabf6a2c39a69c537cc7faea771
SHA1

524c6d227aad1ac2f4be93b0c21270801aa6486a
SHA256

39f437782a4476430f0c652e7f7e3012c2273ee71c31193e0bb87c3770d96373
SHA512

9660e02c4568ba2d3f9861a5b246d2cc0cd3859188b8cfa57565cfd8106fbaf7e4960c48cd7143300ef865560b03e84d69f1bd341b65e7bfaf03d69230b7c82c
SSDEEP

49152:SEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfQ:4AI5pAdV9n9tbnR1VgBVmDC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5116	alg.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
4384	fxssvc.exe
3376	elevation_service.exe
552	elevation_service.exe
3440	maintenanceservice.exe
4752	msdtc.exe
4760	OSE.EXE
4164	PerceptionSimulationService.exe
5100	perfhost.exe
3616	locator.exe
2708	SensorDataService.exe
1132	snmptrap.exe
5296	spectrum.exe
5732	ssh-agent.exe
6036	TieringEngineService.exe
5208	AgentService.exe
5136	vds.exe
5404	vssvc.exe
5132	wbengine.exe
2956	WmiApSrv.exe
5988	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c259cf2c92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc730d2cf4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000593ad0d5cf4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba907c00d04dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240bbed4cf4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504693521019852"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7c922d7cf4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003533a9d6cf4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006205eed1cf4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
352	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
5364	chrome.exe
5364	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	996	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
Token: SeAuditPrivilege	4384	fxssvc.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeRestorePrivilege	6036	TieringEngineService.exe
Token: SeManageVolumePrivilege	6036	TieringEngineService.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5208	AgentService.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeBackupPrivilege	5404	vssvc.exe
Token: SeRestorePrivilege	5404	vssvc.exe
Token: SeAuditPrivilege	5404	vssvc.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeBackupPrivilege	5132	wbengine.exe
Token: SeRestorePrivilege	5132	wbengine.exe
Token: SeSecurityPrivilege	5132	wbengine.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: 33	5988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5988	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 352	996	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe	88
PID 996 wrote to memory of 352	996	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe	88
PID 996 wrote to memory of 4652	996	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe	91
PID 996 wrote to memory of 4652	996	2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe	91
PID 4652 wrote to memory of 5044	4652	chrome.exe	90
PID 4652 wrote to memory of 5044	4652	chrome.exe	90
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 3320	4652	chrome.exe	97
PID 4652 wrote to memory of 4452	4652	chrome.exe	98
PID 4652 wrote to memory of 4452	4652	chrome.exe	98
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99
PID 4652 wrote to memory of 1416	4652	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-23_8debdbabf6a2c39a69c537cc7faea771_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:2
    3⤵
    PID:3320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:4452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:1416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:1
    3⤵
    PID:1220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4804 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:1
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:3024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:5060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:1276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4128
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6a90f7688,0x7ff6a90f7698,0x7ff6a90f76a8
      4⤵
      PID:5792
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5896
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6a90f7688,0x7ff6a90f7698,0x7ff6a90f76a8
        5⤵
        
        PID:5928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:3068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5104 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5232 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:1
    3⤵
    PID:3356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4028 --field-trial-handle=1896,i,1529080095307104313,12356584805893858615,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc499a9758,0x7ffc499a9768,0x7ffc499a9778
1⤵
PID:5044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2640

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5312
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e84293a3de9d120a12e48222db32d102

SHA1
83f989681a0d50a65b54aa47f1a24c378ef17478

SHA256
53626a4fcd78aa7997bd91b30293230ce6aefd273ac8db7f2dca44cd5a81ccc4

SHA512
23e7cce3429393a69d0c898d8c058f9d0248fcfcee0a301bc901ccca0452065588a9f50b1d1a1a1cca2a47993b78fba7a55d5a2897feb1754769d6b1adbd5bce

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
72ba0d6669d1ebe89251e0112f12ad5a

SHA1
37852b0d8af6d6c0810abc31d17e05747df774dc

SHA256
815be5d858ab76ec96c6346dae11610baf35823a8626a49c8a0cdc3d333ebb07

SHA512
ad6a0098ada374e5142df99f257a183140d817aeda454a29c76f8781ba16c0d93fabd59c3ad773bd3a4a5d3974321293b3a561343abca7a490c08d36386ec971

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
3674080f01ab0fbb5ed61c53ed7ed490

SHA1
da8a1d27cca54c62ad630c3a9136345ecf4411a3

SHA256
909a74c40e5a954c3ef4d625db2014859660132f59151ed628d2c67958087e9e

SHA512
6bfe083383b75e119c9cd0cece760222791585fcf10679edcc04a9efb7af9fd4aefc16b88648975ece43393782c1ddb26d1ec504cffc05d719fc7d1191e3bea6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63a297c451629bcd7e4f0afb408c0009

SHA1
a46d470ed3b70b8df5f3013eb88f705216c891d3

SHA256
16e2b0ccb5610496cd96a190257da874b2ef4b170d0375c2ad72001ed3c618a2

SHA512
ac400f6abfaac48b2344115f5ba1b136622acc3c0d8ea91fefeb46979439eed83e467ec6f0ea3c74cbde158bfd0ddb8985840d1ab5e691f017faf26934d3f94c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
83e4fddf88926d4c0c8d13446393e287

SHA1
47f4136fc1402f8f10e72c3970ddf0de9a879dd2

SHA256
2e42a18c176dc8892a2c5aab3a7cca1a3d7f16d845818a329d127215c325ef58

SHA512
e0372abeb353c2e513f12bf69e8c0ae7a315aa3c636879e21569755eae4c8d8d441af4e53b4ca5fec0a4025dbd2b5cbf2fccd5b90c84b475fe2a22f7455d7560

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
982cb15757ed2457468a931c00673481

SHA1
7778cc09c0dc4566fd747ccb6a9b74781830e2dc

SHA256
15d55cf22f882659e9921a9d5bd63127046eb3c117344edc7a04cdd6b3f34aa4

SHA512
c37906020bd5efeb7d52a5df8e24452b03516c4e60eb66bd3d9b52fe8550f5fe135ac94d2bdaae56a316b472fae50aee4f2748cb94fe8351c9ec64b6d116ecbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
8a57bd493c22ae8080965533e99ba4b1

SHA1
0a4c7348eb7c2191ffc7dfcf1eb67426c65bfc06

SHA256
ec6a404539f5aa392a4c45cd3bbcc2593faa0e78452493d0121fb8d9a67cdb37

SHA512
444c029c587ad65836807d9f577bc6146aa3bacbd1074d8bc9b05f739760bdda6f5ad42df2a3863a62b04f7550837f769e05e4d3c3d0e34c03f534d67ded5581

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3fe88dcd5444fc33e8b3d4adf4642b1d

SHA1
5e73f41c8af935711574ce05c78f692fd26edf16

SHA256
1bfbe56d77b00873a72bc6054d41878b28435108c71a7d541fa8f56f0b7e6a18

SHA512
de76ae014fc3655ecdf4ce31a99abf47a38100b3eb27855bd1e84f5b4c4f2add1f3ee80f2f749911839a3acdd7a00815fadccf727507ecd02c54bcbe3dcf3a0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
5892179eb08e87838dad1eeca9247c50

SHA1
92ff003daaecb3326a36e1ba84d07311d00e7c64

SHA256
9401098a62ece8cf46f48872f074d671e7f5da6a472383f212df681b7e17a55b

SHA512
1c7f663f9f29f87ec7857ba3973cce5d62e6b517baba554520e0add0fcce10bc05183b9945051d3cbd2575cb8f654769e66a58fdb9b44910833a3ffbdf476471

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8a724e2cb81d2d91ac7cc4249da4875d

SHA1
dd07c7c3b9683e48d340180d219edf5705b3460c

SHA256
867a83d513487a6d3b8790c42e67d1164c2637713a166d11e48815d479b5bad8

SHA512
13f5e64a99fc6ac94ef0bd5d370ad68217039d96af9fbcd7f77332802715a39a5bca215ecb90b6374672da86f91d2885cdbc9f293cefd65096d9f3922d9744ed

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
79216132ec1fca0350c0181c4131fa1d

SHA1
b381f16ceefe44dd4ada63bf38e822c7f3199402

SHA256
0c006d2eb9eda7b93c270de7217df0e802966a4f1b2f48a9e97411203114ae54

SHA512
c508f14e3bcb013d99769503b91d91db88d621832cfb3390c4e9ba3fb4150972dc8c7cceca5150c72b1c9536aef5363827c0962cd60ad926643a9d373581d341

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.2MB

MD5
868a1dc6a78cf59fd8e51b7b8e1f9896

SHA1
5ba58f771feae05a7a8e1481bdcb1070fce22a51

SHA256
45fd0bdd9f6f9f4cb577ef1a84a6e3ee8ab1941aa61f030bac027da1075bedb9

SHA512
c068e87187fd4afb42c5d79f88174368890dcb686e6b1ac3562c2f19189ff006d7b0b3d5d3626b2ff9806c4e3538834c7af1ed8b57c7f9b75a1d72a699c719f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
1038d224c4ac772c3a1898d36f95466e

SHA1
eb93b472d90aece16f2ce31d8b1cadcb2fd7f720

SHA256
602c19417cbc8eaf816c780458483b51840d9e0cbbd5c4f0e472b8afc5523787

SHA512
243eecd879425a61f83f79ed9412d5dbd7087c607e09f8641e0887b328e1a6abf766d6f858252d88a7b2e7dfc60a9f4d8b95051ab90885cfe345518aaacfb587

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\789688da-aeb2-4000-9346-83154c573a5b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1b06b27247057e8c16b7261dd4793862

SHA1
8a395beba7824dd9c62f6da682ea9f6020c96c8f

SHA256
2a0164745f7a422b530494835ffcbcaeae5c6259f92d48763a7efe862edbd8f1

SHA512
2eddc8d71f056da7cf56ad304c96e3f998afac88fca7110a6d6ae313352a765168ded9098e87031224cb74c39d0bfbe2160285ead4ae6252e3c27be4c45d6ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8ae25b226e0662d256cdb32f2777f840

SHA1
39594f82a6dd98b6e4a341648cd56e9efc6aa16e

SHA256
935b4cba7114f9adb0c7ae6acbc8903ec672ae318ac63c5d5e5edf857b4db207

SHA512
e529649b71c7a7fccaabc2833af3cbfc9bb15b66cc5735fc95a2bd741c502bd11af05853946d045a49d823e3f6899523d050fe7d33c485af5abccc8e2ca02e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
65ad487623455cfe102d0b92c5e67b7c

SHA1
55f3cfdc5ea1cba710ab0dba9ac824b0933dec70

SHA256
0bd8d114e86f3b73f6481b17d44bd2c403e539d45140bc6cf71332c41714460a

SHA512
b3c8119c1d8959c83e3a08bb8c65083e735937b12805277317ecc6ee0931fed566d0e1584a8230731480c331d9ea813cd8efcbcb9fc5a6c9d5ae3366e7e7a5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
4ca61994e0e0480274501595d9269df7

SHA1
3e7a0e9dd705a334247b39c734f55fdee2884f9c

SHA256
8398a247578ea6f9df07d6ee882861ab286703bffc286d1e2b438b4ceff1511e

SHA512
24af8880fc4669c9da71bbffe827f52231b78e107915924c3c21509dea0c4670edd98fd55c78e2ef83826467cf45b2485debb3b66baf325617ca193369e97dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2f144514e72afce3d7ba4d09699fca16

SHA1
7d64a89854b8910cd1ed7dfc9e1400181af2ea74

SHA256
55a2954fc7daff44f3bb1ed4d66c80429ea1b9d4db662b2f975eec1e361262d7

SHA512
70d75d6b0f441dda515611779eb3b382d51e9b170cd2dd2e2d2737409e866c21f7d1f74f92e2d74dffae43452f822a129826709cc9160b6008d265ec1171c13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
dd8dd30ae3981b3692bf0d0a55a2a4b6

SHA1
d29dad7beb77313b8af7def09dae159c43013b5c

SHA256
a758861445be89c0968e6d740d13df2f36e8c31ecf05ed5f8912feb8ef355fbd

SHA512
0c1a8f1f0a7e239e8052e6201cdd5ef642c042beedc36e0e880a1584405a04e065f6e6a72323b19d0e5b67e0529c914424dc63c3bdabab2a4d2a63d95b0cc2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
216f618f05e6ca56c5dddaec6b04e298

SHA1
22ff62463fd6c10bce23f821eced2d093d14d2ff

SHA256
e4bf1d11528ff736e7ede25d2494724e57b4539c6e8ab2eb88f84bf0b8c146a3

SHA512
dcbb52173258f85de6e050d70b6ef0857945d77cd2318880de6a7d8bdb163c49a12ccb6612247c6c83dbd444f98d56ce7da0ed24151707f70b85f70441e404c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
671e77e291087fbcfce858be81b5101a

SHA1
f62d57ed1fa86d43054fb8105e187cfc4987db41

SHA256
141271f54e0c414c83622a1b42460b18b8826a79d683af75bbd93b731b230b50

SHA512
9dbd600e42784bd73d5f661f4d5a6d5270c12b63e028892585ec99882c2f4d2d121ecebe56f90247575b4a53e751b9811e104a65759ad63d50fe08f4f43ce22a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57d67a.TMP

Filesize
2KB

MD5
d6503f5e16a8bf2a8f64f5ab2205b728

SHA1
6c0b1af9431e1e6438e0ed4d53095c0c80295489

SHA256
52c98a5c128ede84b7f56b888d2b86e010f1bff308c5943274adf2ab3cb2b305

SHA512
0653c860cbe62e788da7de581abbbc4eab31b682f9ef7f8ed0fc42746af7f45ef7f67d35d01d1c203c7e1fe275fdee1a45c5ef9bc5ac93fe62b8a2069f51d790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
780ccbadc0def6dcdda45edb887ec3bf

SHA1
d7c81f464ede2028dacf064a703df1a1284f489f

SHA256
e191362223ae10cfef5015d92731d0a5fa6d4e9c976827d871e531fcb31216d2

SHA512
6fb56f1632b3adab0391b8540c07b4581953a7da6a64d499d6e89087a5000960c83c2c8cd08f76fc6706d129dfd7be866cfd4a90cd93eef67ac59ea42371acc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
d1480cf37fcc4a9525691d73d361ef21

SHA1
4e2120d06facb81559016b329f968310c98d7982

SHA256
c22f7fd9156685c111970f010a735d784484d158e2ae819e67392f8d7439dc48

SHA512
0c6bf92dcbba06e1b1f824f1afdf73a1dfe7037aed6f2c5e9395fbe906d03b98e8c442d6641788ff2f6ca927a7d006765b84faa7e5775cf1857b8215307af27b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
6e4f1693f9fad0e89683db1090543186

SHA1
fddd77ddcbcb4f290d01e74f5b4860ebbaedb641

SHA256
0ca6e58feaa9cb0fae55c52a81bf34ba2c87d5905554c6b679bb030971de2a73

SHA512
f75565ee091cd8cb7ec2ef5cda652cf796b9aef071c2ec8bdc8e4d3584b83f70a5df5cfec1d00c0f1f0d5fe3a9906c9cd7d6e9f21b9564f100bd81ca5f00254a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cdd0e5a085f9f8b3e36b253482ccd7a9

SHA1
b7f9e83cd2b28b683b32929a66de54e00343a656

SHA256
02d25ab7dde712e79319e1e2ad463929fdc80296a49eaf4823c016b4034c659c

SHA512
1f6b2012583161654f976de64e109ea60b0f105eca647ef1fdb4c564b008a09bd3bafa3a505f91c496b7bfb3ae45a55300d161cf142e2ccd0397e46dc6a856ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1920471ca4a8832eb1339a7590e548fd

SHA1
d13e05b73e22d24d08bec5bbc959cfa919dfcd01

SHA256
4b1b8549164a4aab002702e20983d8311118ddb05bcbe341548066cb81b2088d

SHA512
26fe4eb7ea1aa00e7809888f4cb7b7d336d187f87806183e984aa0fe2e0fdf6cfe13779e84da039af46f0967f4af112c00bd514383cff4ac7178ea7311ef1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4652_592428176\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4652_592428176\a477ab68-ca5f-4819-abb6-105d7366f9d0.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\2c259cf2c92b1ccd.bin

Filesize
12KB

MD5
9411a5863b471e5d920cc297ff13aea0

SHA1
2c234f8741485966d272304cba277aa756f99594

SHA256
8bfc9a8f72fdaf4d51cabfefd76f9843c77e2d80c2b55620ad7c0c0497c2400d

SHA512
5fa00efdda4fc48ca2602f4b7a473f6e41ef3249c434188bb05f79ad843e6cde7201ec05005572c2cff08455ee6f711a80ffe3eaae202a208f344bf27b77afdf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
843d6afd77f49aea9f8df25470d8dfce

SHA1
51488c8a63a5ca04485ff98cd6104cb91981ab4e

SHA256
fe745f7a662ea3b63329cd0cf454e54e8d740b789d1af60545beb069cbdb0993

SHA512
93b99c2c6eacd787950c08300e86e9ff488595c50abc346b4bfc65539b97226d4da884626578fdf01b08fc5e5c710c00a3acfa60925d1c52b2da297c0071e08a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a239613b458ec633bd8f8c47987833a5

SHA1
6821a1697e919624300484bb7e6d4b62b23e2072

SHA256
981f94022658339b8a37a85717a39ae3bd05b8eb47b8182b85df1580e309bcbb

SHA512
65ad2ea9b3a27856683692459664e18ca4af16cd045177d4b876fea7dd861ce822526f84f8bf149fadc765b5a3c7f64424e6726ee6bb3bd58f08c3686c27633b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
7fb5f00d6c3d458306847f8a05dec58b

SHA1
77faf9f59aa1aa1b67e42d08b8c6168db354d80d

SHA256
b5e9ac77b643758d954303610d2c6def28cf34a47a2c0f7392bdb1ed189949b4

SHA512
c001087b71aa4fb236d59dfcf54a827db0240d40e8cfa10fd5b29efc6587eb348a455970f373e664ea0875fd769408608e845332568c2dbc90143d9b25511a9e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
128KB

MD5
6f4b4a01ad4a883b61fd3eddb45014b0

SHA1
78ffde9f42b5fb57373d3d746c787f95881d2f7c

SHA256
71fd2d76191418748241c0ef494f1d76c9124bdbf821b0d33d417c7bf86d5d45

SHA512
8e58d987ccff1d71a79d97279449b89656b00a1a1a8cfda45cebcfe4d042ea8ae35713f38b6911a58c0693067fa8af03c2b6061900a6ca55d7553a58ed7982da

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a9a5df8726918ead6821d942649d09b5

SHA1
67841a297aa9382cd626a59b435dafa7f1b66a3d

SHA256
edcde5dab875be814daf67d450fe02ed30b07e311a08217beeb6d98660b078a4

SHA512
d8f7b0ad9e692e9cb61fefd8a0ed2a37a29a956c0cadff52833c69782eef8fd11a7d7a6c7fdf3c2f54d5a717963ee06d07913b3a162df9f5fff340574aa639ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
d96d17e09e7830ffa68c48559cfe501a

SHA1
26e43603368bf45b917b7c90856cbf9a03b1f7a5

SHA256
9d6eb38c456c87d0b8e9acd39cbf6734e0093b055fd6bbabd27824a5a7a16b93

SHA512
438a5442481d3938567d7a0f93ca04a9fa43cf2cfb7a61fa7fc4e938dbd492330aef336ef316c510fcf8e487bc7a6cca0469238e584f86cf27cfd3b13c6fa93d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
40fb26966585906b5c2fadcfdfa7e0b3

SHA1
c5811dc4ac23adeea2905001d76cb259076fec58

SHA256
1d83f5de6c2801f301bf628c8f44bdae2cff6eedfa0bf2b1be48deb671cd901a

SHA512
fe68301ad19a5643a46b8ba486ed8b4db6acad746b7f18f74e815fd2e5f1b28d11487775257a7af436c83e1ed26bf401c2b8c23fff01b58a6e317a7c2d488ac6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2709fb5822af2f090cd76f7bf4bc582f

SHA1
b4d3823b0f57542d98ea937835966ef7657f60d0

SHA256
1cd523689f650224b4d596360b851fd298c7f8fdaa3c2cc3736446491305c556

SHA512
255a1d6d45cdaf7483a3a05b6c568d4f077806d4800cc1aac848a25b2a5b578f0b7ba0b3c34fc9bbf99e37df4081912a4c210adc863392a553289c6c4fcf41c3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
34c99be6e00218039d4aa109c18e9307

SHA1
fede9e3b7ceaaac752d9230a0352e742543c0a59

SHA256
50fa6bf2810a8a363ed70b399bc8c882ca870a424405454d4c168c4a4349c57c

SHA512
0b0e192abbd5efc98f371bcb7bb8eacae1edb1e1d3e0382b6ef3e3649ab1e3fffe5156396ffdb6dd9b9746b7c9ab62beb79e1ab14670a845e97b17096251242f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
559b0c4c3bc0188c26ac157703939efc

SHA1
9ec849aeea2f1aab378ca15712e7634791ef2d0b

SHA256
a134d16d413d9c5208dc595f378d1b409b82213218dff36cd0386699788dcea3

SHA512
af745e7b301756b948e5ff883aa55af63b60768bd1c76ad11db32881ea59e3955e6367b2abeef77723111562f482be65b41316aeeeaf038dcd2bf32f63d8f3eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
785d9f34a13f2daf075bbf9949f01584

SHA1
eefe00cdffe1aed5e47e4097ab1516a2c2c21051

SHA256
5ce249d1f37932f15d554995767419cec7127f1124f110a067c9f8cab5c1e9e0

SHA512
2b61aae38e39b8590d75c621e0e28963451cac7843a4e250cfff591b89c10dab9eccad4f0e4c7f483db7028b584cea116e6ff86fa4f2f27df223e323370587e2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
363d82b5ca30872ba7ccabcd86f2b925

SHA1
9ac84655a25a1190dee9de3ba23dd729e6c7738f

SHA256
b6ab4075536fd44dbe89644577c65d3048c3f4665ab3373ee482d30bba6c23e2

SHA512
3176d59276dbd04112828daf539a6ddd54e8858b8bc34f8239255817ea0834bafee8f3351196778b7de502848b5a3c39b65012d2f5329cdec47333130c4657a4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f766d264e4f2d85c4509bda6d3eeb035

SHA1
c79d1d71887c488768682f23f15d4a92208c0b73

SHA256
14839fc36ab6840d48a8076c9891fa36cc2555ad9bbc515e1ac9a5745d2e1c47

SHA512
a10f7796d93a6407306ac2a4d1a641c9383b4c857aef5f15824af3ce99508b0a00b9af539e0f3a5c86482f81b97fdd4db35b1cda6f8b89f27c30743488a8fb3a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
be9ecdb85d3466fa4e26abd46847c77f

SHA1
dc676b134cddd41d3a9bf6308c623b4db89072cf

SHA256
e6bfdac273f24707a8564e00b0ec0530311715babf81f763da2adca777e5df32

SHA512
193e215df9ba3aa4d95e99774d82fb659674f2d4e18730f1df08552f9c16b1b816895b178d293985c0d34d655ed8bc0b944b453d9e05f74807b5d112eee194c4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
37e36fbb7a0c553dee21f2e38ee27ba9

SHA1
f0630a5499c766db1aa810efdc7ea8eb90996e72

SHA256
d6587e23f7e49f10e4fd671dd43bc642dec2fd9cc84de43ff76d033fbdb757b8

SHA512
e2e588b9a9568fe8bb65e4cbf3cb58ec4457ebf6a7accebe8f0ad525d5fd0e1b504525a7277964c868943b34ba73dc59d1234dc8c3efa3e31984e9977b258233

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e6a7c4b3d52e9ea128836737ca4d0998

SHA1
3e842a5fb81af4f660492910a2a583b34b8a3250

SHA256
392068957a3cdc8d0105dece71742d5c2c3920d1fc1105861cc3ddd6d638e7b2

SHA512
b735702f5f9d5b76d865a321712e2e299347c092d47dbd69ac1dbf21dc5ea0219d2cbfb6b09ce4b2c4822eecd5508ab1612810cc748bfcec08fc1c7326ca61b3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4bb8d2ace8f968bea0d86f8bce917104

SHA1
5bf71ed858d55936c876167558db6945d6381bf5

SHA256
3aeeb5f47ffe380abcdab3422f8a43c43bb616bdd0ba24aff9f1dfd9754bc407

SHA512
d07517a51575405d50b71f16a906e9557a41f7fbdf10f68ab45aa66085248f43bf27c938a48d03dbdf6cdb4559583754f380e73599a2bc3dc3de8569983761d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6e43fab0b1ce1507a28b03dc322acf74

SHA1
1d7b7b685cedfca19305d7d42d1eb07a9900dc76

SHA256
53c53153f3dd94b5bd0ddda661b5fb921deb323ae4fdaa18826d82b8514a0f45

SHA512
6b45383f73837edf3fcfc2775310814e471955b9d550446b46cbecfae6c0b318ea8cd84461eb42df7962bcebb4874568cfcde61f7a77c59aff647fcfff993ea6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
af344663564acc8d79de314080d8ade0

SHA1
7d94c4a55f6e7a32292c9d2b730d7f6847efcc29

SHA256
7b7eace26de275f8af21286e76a4c7e7d04555dde0e8d3f5603746939800f06f

SHA512
8447040dbdae5d73c28b65071fd9bd8f9252c4684c20343a388df7d320cc17f603f85808889d45b70221aa095db524f9be41834e5fbf0ee31232fa38471787bf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
829a1c8b4db87365ab438c4b42b93fcb

SHA1
55ccc82558d784e759b7e9d2ec90918792e52943

SHA256
77151c7cb9eddc654762e6a836f899dd1d497998021969ead60f913594389624

SHA512
7452293d8858f5879d28c76634ec5890be67b53a5b64ccf034c91ae37892f486ed19db936885f647691c8ade6b031642874d25f26807b852120fab6118d3e2d3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
3e50fd95d237383d9f11f55cb316aab2

SHA1
d7244de8fccbac0f1e681e532775ccb77198c567

SHA256
1abd022d96e854a9bd7b443391281cc0cbe1b69f100a28601da9743669c8e986

SHA512
01232639c13fdaacc0806f7dd34588f0c3795036c8c4aafeff2066dd0e03ac6b3d7aedc68b9156ab3e85f4ed5935c280e9f3a410e1fd2bac4d447b22a80e9706

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
5b71d6e979be85889ce6f6ee70aaaffa

SHA1
f06c3ac8a6cfda6b95bb0bdbbc1a9a14628e2919

SHA256
d9cda23ae3e41c2185e0a7d98757b0e5f76f8b5398070bf632cb1b958a79ae90

SHA512
d97ea53e9087a220c52110a0cbe30d5a4fbb2753e742b7789ed2b968a009ea61c5c9521b4e6121c4bf323aa90d231c82b116c8d3fed4ede1c49e72e28b85db24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9b62a29b81b3143610471efba4e99df4

SHA1
74b14d9a44177d6cdaa74c6686934c8d7e31a186

SHA256
f0505416419b3f9bfe42231688f75501eff3a1bb2f0026fd30f804265a182603

SHA512
9e5a0e57dda13a5ad4b34e387467a0862d06d370aab674c2c7958ea2493b4b1bfef86e47b0c1aeb1730f9129a883511941002fc2643473af1bbf452484909479

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
16e13576a568dc65d3c0a5fe26f69ad6

SHA1
fec2c7f14e04d33dece102d21f709adde149074f

SHA256
5ba01fd50e57bd014608ad6ddd4507dd513a68bd09a344f48101a5db9a9b6fa3

SHA512
ae3a2b13fc2252c0af7dd78e9d295a3af04e66431750041992e863a84bc37ad641f246f9fb2022abf36628ef9da8cb04a8c2c8370dfdde3c09f1cb0a45f76c53

Download Submit
memory/352-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/352-106-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/352-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/352-16-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/552-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/552-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/552-108-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/552-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/552-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/996-29-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/996-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/996-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/996-8-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/996-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1132-234-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1132-427-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1132-247-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1516-47-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1516-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1516-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1516-140-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2708-411-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2708-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2708-230-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2956-469-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2956-477-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3376-74-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3376-82-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3376-100-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3376-103-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3376-76-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3440-123-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3440-138-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3440-137-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3440-131-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3440-120-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3616-193-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3616-209-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3616-390-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4164-174-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4164-340-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4164-183-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4384-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4384-67-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4384-70-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4384-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4384-59-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4752-229-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4752-149-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4752-141-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4760-168-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4760-246-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4760-158-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/5100-189-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5100-379-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5116-24-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5116-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5116-121-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5116-40-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5132-464-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5132-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5136-429-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5136-437-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5208-413-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5208-422-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5208-428-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5296-318-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5296-341-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5296-441-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5404-451-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5404-442-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5732-380-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5732-358-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/5732-454-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/6036-467-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/6036-392-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/6036-407-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download