bae1211c434b39ea6219026cfc9347ffa2ca5329468591223f9949198a0dd688

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
Size

5.5MB
MD5

59dd8c17f86f271ebab0ed04033b59bf
SHA1

c29c575b6aef9709bbf21204ac03b8f00d332154
SHA256

bae1211c434b39ea6219026cfc9347ffa2ca5329468591223f9949198a0dd688
SHA512

829dc492dff04caabeec916563f6809150fd9ef087859f8fa4780538f200c56c7f2e91abb4c6de51b92cef43918af1410a4c870a7d77fdce11baa7834be90d57
SSDEEP

49152:6EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfM:wAI5pAdVJn9tbnR1VgBVmTw7izY0a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4432	alg.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
5068	fxssvc.exe
4660	elevation_service.exe
3492	elevation_service.exe
5076	maintenanceservice.exe
3128	msdtc.exe
4376	OSE.EXE
3796	PerceptionSimulationService.exe
2128	perfhost.exe
4320	locator.exe
4244	SensorDataService.exe
3700	snmptrap.exe
2880	spectrum.exe
4032	ssh-agent.exe
5328	TieringEngineService.exe
5560	AgentService.exe
5824	vds.exe
6000	vssvc.exe
6116	wbengine.exe
5252	WmiApSrv.exe
5412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5e05db54c92b1ccd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6E55939B-E83A-4A23-9444-92FC9402812C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd26f20a4251da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002540d50d4251da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bda7010f4251da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000322fde0b4251da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b537d0a4251da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4676	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
4476	chrome.exe
4476	chrome.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	448	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
Token: SeAuditPrivilege	5068	fxssvc.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeRestorePrivilege	5328	TieringEngineService.exe
Token: SeManageVolumePrivilege	5328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5560	AgentService.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeBackupPrivilege	6000	vssvc.exe
Token: SeRestorePrivilege	6000	vssvc.exe
Token: SeAuditPrivilege	6000	vssvc.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeBackupPrivilege	6116	wbengine.exe
Token: SeRestorePrivilege	6116	wbengine.exe
Token: SeSecurityPrivilege	6116	wbengine.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: 33	5412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5412	SearchIndexer.exe
Token: SeShutdownPrivilege	4656	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4676	448	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe	87
PID 448 wrote to memory of 4676	448	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe	87
PID 448 wrote to memory of 4656	448	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe	91
PID 448 wrote to memory of 4656	448	2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe	91
PID 4656 wrote to memory of 2388	4656	chrome.exe	92
PID 4656 wrote to memory of 2388	4656	chrome.exe	92
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 3396	4656	chrome.exe	99
PID 4656 wrote to memory of 4520	4656	chrome.exe	101
PID 4656 wrote to memory of 4520	4656	chrome.exe	101
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100
PID 4656 wrote to memory of 1376	4656	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-27_59dd8c17f86f271ebab0ed04033b59bf_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9dc39758,0x7ffc9dc39768,0x7ffc9dc39778
    3⤵
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:2
    3⤵
    PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:1376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:1
    3⤵
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:1
    3⤵
    PID:312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3900 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:1
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:3196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:2200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:4392
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:3952
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff65df27688,0x7ff65df27698,0x7ff65df276a8
      4⤵
      PID:4888
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5192
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff65df27688,0x7ff65df27698,0x7ff65df276a8
        5⤵
        
        PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:5456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:8
    3⤵
    PID:6008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5568 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 --field-trial-handle=1888,i,7949173476045429306,12785465194493209256,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4244

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5252

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
51110955318b183d12598f96e1a4ed6d

SHA1
3a17635ad20ee32191b6234d5ad116915a7ed134

SHA256
26c7636355fdffd27900a9af28cc07590fde425a517ba8a148d3bfcb48b39e8a

SHA512
01cd459b379d6307332f72557d932ca11221cabda5ae76ed60bdbf784507f6160b9efc934975184ce769701742fa483c98929d2c00ccaeaf041d1bb571e97ae6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a6becde42a62305873b15348acc85dca

SHA1
ee6d956ab6fa42af349fe531097b4afd5d77bcb2

SHA256
148bd8e8a380bbfba76eb783ff78a39db6ec39a02cfe15c3521292b0d19efac4

SHA512
c7022b16a4922e0d127d615f9122cb400fae4c664e5cbfd05e66a4dd9f82e2fa17088d966870c1846b84f5b1c038398d1511a2c90eed6992749004a9f9e9e1c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cd884d841c335fddcec70e4679a1b3ba

SHA1
09db8b30e4bf3eefabf8e82bf16ec9ab0205195b

SHA256
e6ecd8cf2681737f1a2af5a1c362488809bf0f8235ce870bca9faee7d3e66820

SHA512
4b1f517445ec37d355b0af0fc9c8e780b06d7ac66a599882bb24e5a79bee4f014cf67570397ad2855b2d09953c88c7add689489f1f84dca4bfa941542ec2e808

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4337e16e52433a57134ec5edeb29f87f

SHA1
4ccead43fba9ffe64f0d965367b8bced896ee7b2

SHA256
fabe6bae7c00b3639790d0e9ae8eb2aadb99c7ec1da5d1699b99d4e56b7a4546

SHA512
f9ca2c9c5c496de2161990ad0c75cdaf7f47bf612eebcedd125bd34d77d88488601126a89b2813f8f65bc5fe0419d2a2d992c4829466ed99ff31337a246deb4f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a00dca365ded876ceb44f6130c5290e6

SHA1
f0a8894972313ff97cf96959ee62610a9d888ca7

SHA256
e7a04dcfc4b5efbd067699f43c2c7c5889845412cc907e66e72bcf1f7309cea2

SHA512
1caca86e6e5b7dbb187274cb3d7691335bde5f47fa788f3705284b138136d89cbdf346127ee025017aca65e7f040de5e59cdf4febaefe9d3040a31fd554666ba

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0ba74363bcc50280ea59ad7d8e26cb7f

SHA1
37b2debf544dd2a8ecc5a3ca872eefeed2cd4095

SHA256
5f92e7abc47ac8e740cac6e6350b1ef10c8b5f36529470122f6c07858d8a55d8

SHA512
07b0f16e5a7666885851d81b47c30a798d5da7b81003982560ecf48eb222eab1c5da69c68028d38cedcae5c7a2994acc31b89f4f9833ca228507d4cea3ebab1c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
47d2f8ad49b1d183816c342dcfd6178a

SHA1
72699c15ef21563dd0af8d59c25c2fac1aef31a9

SHA256
af921e902f2c5501de16badad5113ace5a7b6525714ed1bfecc32bf1af17c182

SHA512
c05fb225b863a074147bc83da8f3b7460830413ce97e2d7e7c5dc8dc4f4d9bb6499dbfe5392081e2f68d9e4a8cf5b18d89336d611f5b989a70cd931a1950b0cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f7dd4db01163336cc0768e7f79f93a4c

SHA1
0c9a0ad798ef244d1c183027712718edc8161630

SHA256
5064fda0636f521c6da96ff1ab817822e759f7ff8ecef2bd86184c2005752a7b

SHA512
386a51231281784e52fe2fdc95ab9882cef442bcaf0af048556c0a7143f7cfdf2ab472833f25fe10eff9b8266d92dc18d0ee55aac256d08c276d6f85d94bb473

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
08a210220e5dfbee9739c90106924fca

SHA1
0ee591038215f1ba5da90beb69c694e61e3fe87c

SHA256
5f535253c0f40bfabfe44058164ee2d9fa76f35f52d46096e2e075a1b6dc8e36

SHA512
326de3b5f64151ae0712b52d329b3edcb49cc78b98aeff720a4195b26d41b481c2fabdfe4c5ad9ece76d0181e22dc035e69d3ccfd1046b2b191628a1479cfa51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a29647fcacf655afa18f379c1e6e348e

SHA1
a7464ab599cf8f58666b0ef98e3e621ee4e20261

SHA256
5b58d22e17a025e30d7b4db331569d83f85954a40ce93cee218267b89d3a2c02

SHA512
724afa550d8aa49bfcab4b26cb91b4eda66cac3e87ebb68701e2e57b0aeb5a16d4f82ea464dd1a5dc1d60bd58a54e2db2e2facc1b49887764d215a93292fd251

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d86c7c2fde3fbc72a0524498a11746c2

SHA1
9354f88209fbbbc6cf11893db7919f6b0b59e224

SHA256
e122c2c74bc46c6931a35e28e816c82e3be8883111131ded4632fc0af031fc4c

SHA512
51b30ebaa8a890f80c67d2903fde7a34a1390abcc2cf754ad5c8281d1ca4973d55a3562301e901647af39ac29ecfe863e6ba8d4fe5103ed4134e8b4eb439fa64

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
258dbaa8f9a7b3891911355a0b1fab11

SHA1
f622eb6a0db9cd9ad958b82d782b13f4f8d75aab

SHA256
d47a29ba6371b28a909bbaebc1422566a60a517d3be6a659718d92c69e986fe1

SHA512
dda027964e1ab1987e8f3ade7cedfcb84042e81351a78a4dd640e7efd3952f1f85384179b12f35547bacc370820b60bae5d27293ee7b52543cbd77646351ee97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
5d22ef2da6b8dc003dbb2d3a29709420

SHA1
1ede2ed68b86e0e9f495721430a936f48515fb42

SHA256
2354d439ca325b1805325d24ac9e244de2bc618e680e4071381290a2fb02e6f3

SHA512
9885a34d8f07630fe0523b01f2bfb1adff42d4af437f9840839f42881baf39ae26021d44e5e8dcf2d287f0738536a87f746b13405a3e790cb635e3386bc16ca6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bab230939991f1c18f292529d96580e3

SHA1
4335b14947aeef422f5ea8704c86e1a5f2063305

SHA256
7e6d170f123b37c370459b0468818136d2a68742474b86181bf714e0790a1513

SHA512
faffa7287afbb91716c269040be783f1f70181a71a73bee9ecbee79d4c45c5355ba41e48a281ea0e648aa19eb6bf7c677cae37c32f36027343f33e8617fb81e8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240127165719.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
be85b37403db4266e69df8c7198085a7

SHA1
db96628b1a46b557411ec8e92f62d7f0f7a2163d

SHA256
f5fd644cc1eb3706188d9f3c1c641a407a1050e7656de2ca2ca4c9e99141292f

SHA512
e1c4f3fe798d6dd24382d1b579dbf05849a3fceb33b099d6a882b205f995cbac9a6c614ecdaf96e29ecc4712440fcd7a66b999b057fd01b16acfb686c86acc44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8ae25b226e0662d256cdb32f2777f840

SHA1
39594f82a6dd98b6e4a341648cd56e9efc6aa16e

SHA256
935b4cba7114f9adb0c7ae6acbc8903ec672ae318ac63c5d5e5edf857b4db207

SHA512
e529649b71c7a7fccaabc2833af3cbfc9bb15b66cc5735fc95a2bd741c502bd11af05853946d045a49d823e3f6899523d050fe7d33c485af5abccc8e2ca02e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4e4c1e83-eb6e-47fc-ace6-5a2271f07c3f.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
10f3aa00f5086f396641b4839be6dab5

SHA1
7b89e5070d2eea168fa9b057ab3969a6985a3dfa

SHA256
70824791ae20cb04ab1f961d35d718981cc22a3de69c6563085ef805498f043c

SHA512
6ca0cff89e9950d0109d7c3a792a80afa705e1676e2dea9e7783d7bbe7e7102baa3e49200eb08cda95b8beaf982b4bfe26593bc4fece8a2a443e079efa053d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
5dd9bd008e37e3fca1e32d4338e30e8d

SHA1
a57c329a51f9672d45fb28270d01a5685ecddafc

SHA256
205d24fe81a0de6905f735c7888d00060c83136506608a822a5934fcc707b99c

SHA512
7fea856391a6627130aeb85d475786d1612ae2837ed3cc2db97a32b4e5b1518470d83d7f012183907e6d2035a1956f82f3b97298b557cb39c5d7baa233f8169b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
168ddf607e60c6013190375a09f3e992

SHA1
e062fd74a69a726763c9c0e9050b134c9e4e7f5c

SHA256
9147265134f6c148f1c084e00a4b2b32e39504cc2626e3637d998ad4ff56511a

SHA512
ddbfe3391abf05da1d05bab85f03fb04626a7237be6272979c011dcffe63767e1a98d2e95a72853b6959a4d64ce7f275b092680d95e88f64876c6edcb9d56e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a997e661d47c2afb94f1430cfd33253e

SHA1
982a48efbc95ad94a191c71d44a2c0f62f057370

SHA256
c3d5d1d3323093512de8de0ee79e4c711a601159a7b8c749430db48abe7fddd8

SHA512
5404ac2497bb8b43016096a2584745b115c4fa743cb55a2347858651cb4b3bf234aa31cb745a224298b122e1c0ef38234a7014dbf33c5fc7c95e6e16f0bbc09b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
aea21e86cfb3009c0c68b46d62d033a7

SHA1
aa70fee61ffc2fc0f327cf850b556c185b69e1a5

SHA256
ae2f0eeb7dfd7ffa9c803c91bff126ab6e468820d683983ba14133d079e8d6b8

SHA512
025023c33b18b0a2bc007e3d17d2a9c9804b2edd3d99deb75606f8664de6ab3eeeef10e7692b936b41a34aa524f884a6bad07938a7f292059b5b65c40eb939be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58468a.TMP

Filesize
2KB

MD5
d6503f5e16a8bf2a8f64f5ab2205b728

SHA1
6c0b1af9431e1e6438e0ed4d53095c0c80295489

SHA256
52c98a5c128ede84b7f56b888d2b86e010f1bff308c5943274adf2ab3cb2b305

SHA512
0653c860cbe62e788da7de581abbbc4eab31b682f9ef7f8ed0fc42746af7f45ef7f67d35d01d1c203c7e1fe275fdee1a45c5ef9bc5ac93fe62b8a2069f51d790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
dc48ab3b82c4c6c5a858dda9389c51e2

SHA1
1ac1f5ef88acf07c3573262e69b27269fbc32033

SHA256
47641674c2d80fe399c726482b71b38a0811a4e8f31948fab0847fdb371ddb63

SHA512
e5f01cfcb0959feac309dc9a21b6f015b78d99ba3c44761d50b6286d19f41f544af394911c70f55eaeae78b70a3d7b9478d5a4ff13cd5f6bd3cbd8e79ea46d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
f8ecb9a4cf108cee1265f8ad956e2171

SHA1
6a14bdafa08b70f5eb6bf080e2a9ee9597340576

SHA256
b09d543ecd1f60289bbc17e7e9ed7d3bfbdd414764dd61cadce1b076c0737d92

SHA512
fa8c506ebf88380a6c8a2309d8c5febdfb7035217036bbef8d305e974eb16cc94041555a024228c2eb803be7ff0904c7db1ae697faacfd020ff5f12ccc87c2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
0f5d8efcd19fd3ef971d072b468b62e4

SHA1
f8a56155ea1e80c7e531314287bccd4ef5e44fc6

SHA256
3bf2478f2a07fcfac8704e0df2cd8b434d34009739074b512d903607bed8cf71

SHA512
c14eb35840ea8cc3b1f8058f84b69a8c95269aadc03fcc0fc1f455afa8fc5d17b1809d9284a4f3fd708e2e2f949020c459a306360d6634b79d90f631f064b24e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
905c5a02f2f5fdd1009058f28fc3ca51

SHA1
a00b2afd5e34fa916f787da5d5bdecaa1a81849c

SHA256
92fa36d086fbc0a9af17df6e66cafaaeb7fbe70d0c2023e9b2d64ee4da1cf0b1

SHA512
3b5dc0212ca8ffcb9fcf3439d3cf3d222a7cd73e7595d506c3cbf76d0d863d58975c23df2f4ae88878f6c97c0200673608d30268a2776741e37530d03fc23358

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6c16e83445181254c17842a6caf01ec7

SHA1
7587eb109b943b7adb03e0d4cbeddb3592090e9c

SHA256
e6b51e36106ed5aaeb9f1b8eea57722d4671ec3eee2793b0b31537a223593cd5

SHA512
8cb1e4f910f0fc57cb00ffbd158894bc0eabde078949822291bceaf6ccc5cdc677079886e404001e370a0ac97ed1225a9ce1ecec34a1eadfc3a55d7900491b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4656_310137505\5af80bb4-e1f0-400d-a8bf-334ebbaf10c3.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4656_310137505\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\5e05db54c92b1ccd.bin

Filesize
12KB

MD5
80793bede68a94b120febf0885833482

SHA1
95ba4de621b87714bdfb4fbcc87558b13c1bb3c5

SHA256
8530abc8135f2f906f30e7156bda0b97e31b69bfa26f986ada93ad22c78d5a5a

SHA512
66d027c3f36058505aca8b48b8a14deb594dcb22699ca98c26b9eeefdd0227f53952147926341d967a67dc175bdfc66ac80659148a5ce16376c0fdf26b77c006

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ece59688385cbf6ade0b61172bea61b4

SHA1
58154555ce8b2362fec2b17c746bb6fec89cd083

SHA256
ecf5994eeb94e38c74ce9242a637f7311196bbdadf117b616b14a0c008788e54

SHA512
3a0a4a0aa0608d83b9e5a1032f92039c358c5e9dc836fdf6565498885d8632bbc12a3929d6eca2eaaf06a3a01188197a0e4ed9401b259129c2f2bfdc9fa6bda6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1ee519928408c8602ffb9ee7f554e3f9

SHA1
7b6c19600e2ca73f654658598b8b540e92b83c83

SHA256
0f03577c450e92d66cdc4113b7d6f781659c25ffd63849b2d5970b1781f599aa

SHA512
7abb543d09e85f29f8987a949b34e5739c0aa547c43a2db6735faa33f7af087ff820d195f1075d6bfa3fd629bb25f506a0ccac3571ed17dde3b91e6b042b5f37

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
92aec9f7db0fca9e127576626f6404ad

SHA1
1316eee177917d98771edb34ee3f00487d5acc57

SHA256
944f03586089dcc1210fdfebfbe77d549a8fc677e3fea4d65eb7792782ee94d2

SHA512
bd751e65881d3796a36a785d5d81b89f1f1bb2e2dcccd63e94213a1c67e60c036be60442d9d71619690ba8842e81623d9a16887bc397b79c39a69448d6d5e1a3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f3e9f7fa0472aeeab3a330069b5801cb

SHA1
7cc13a4fe3e352e1f473f196e745ab2170b6d2f3

SHA256
3225b1f65b7202b2d28e18f9806de26795d6b0a9f8b38307ed40f86edafe58f4

SHA512
4a38583ddd4f3d0d1295940f2263dded469fbe6c792d3c538452dcd7223b26bca77d6cf63182c5dcee4567c22768ea224d42c445e7f89fd039813612d280d6e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
18b5558814a1b3ef922ca1e97c773eec

SHA1
e41d6dbff53c3c2fae6a25de38cdef4dd8533c27

SHA256
cc5ba949ae0a5196e1524a4cc696a96c0a6c1b6c4d1c21e9916b622f94bc8578

SHA512
a9780ebdd71ef52593964711ed7c6ca3cae438744e837804963e026120ded488fc68a9153c8507ed94bf5f1e7b54b2ac2aaf4064912b85eb1a61d6f4bf0479b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
545125d6c8ec15d589d162d8742b6ef6

SHA1
7894b6ffd36e9eade8c9846f2addbbac1a05e7f9

SHA256
4d65829d987d9d91a084b6303dd18a4dd36c3b1dcd5f67d32e66d8c131482880

SHA512
e3748f27da9a1b35cbb11c18a0f515a3bc79e606df31f5818fa0e3866ff9053bf001b9a74e7f9bd721fb108dc86bd1a95786ccfdd00e8a7f3257895a1937c8e0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f31b6fb4fdd90b529dd39da08d7ddd10

SHA1
8be7c05dc43aa7d163f20baefdc5e0d368dc84d8

SHA256
c908a412378fd2a710b64239c172ca59b7cf3cecc164c8a0074b45039588d772

SHA512
d72cbe1a57941a7e6738fcf91ea63f889a4fea5981a5ad6cfe78587652b09682984d8e335c6cd0777cb0b98c963178a736de3eb2e3733d6bb9b21515bbfa6830

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e083cd5730af162a02bad9ad860a95d

SHA1
6e71eeaee41af0cf1948ea23e52c2ba18a02c2b5

SHA256
bf1a0555ba34603a99e4bb9ca8438495eca142ad7bead9197e284aa75e7d337a

SHA512
f84f01819d7b0add98b7e1f60d30cbc2a440e4512ff17cfdd470f3c58ea685f452de6c970009be8098c99fed1bf153d352898e60ca1759c7d44be8d42d74d082

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8d40b7cfed6b7b3ce2e74bcbb608e33e

SHA1
dfbdce50c634b8b37fc6525e7f8882248885dc4e

SHA256
633b9b0aeb90acef260021b43c25f4dcb44bb52ab40638e2ad29ce3d9c3bf333

SHA512
9480f676c878819ea39d84e295ecc6145af9abbb567b0d029bb2b1eb0550fdb2c5f1990527723b5040a5e5dcfb6f58b66ef77282d7e4bd44f902222be2a3e5fb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bb728dee32cb2cf95a36e282684b618f

SHA1
de044e5cff38764d3860221903e3d6ca1aef7504

SHA256
837ad90e199eca6890dd5cd0c25ec26febadd4b1ab1016fa477dc1610bae2237

SHA512
9aed3ae83d59372d20ebef2f555539c5d743bc671b1bf2a83cb95ad799135d2b65cc8224192b3c0a84288cee412bda72da205b39d8f663d7bd30cfefbd643147

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7d241ed55bbad3a732f07d810f972490

SHA1
741ec2e22cf1ffb2103dcf8e5a2a18212a2db591

SHA256
20cb0b306a9eaa83d042d35df9ac24f7d4870915dcd414466cfc3b4642b4e5ef

SHA512
072149554d42aa6f0ffe2caa2bf4c8f4f6b55a9b2b28804d450d916e74430122091985bd162423d6b617a16a12bcfff69a2ab0e4062aea646a45d15272ea58a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b63bbde89fac5486da2d8fd654183bf5

SHA1
6a04b6ddf4fdbff05098e78b365f1769310af384

SHA256
dfe7ab91275eed7089d4769cec2ca81c3e07eaebb9eaa813f838eaf5dc75a643

SHA512
981a685a41c54d72c6ac0bd7c151379ec127ff770755905eda74138e1f1e1f7d8bf605ac874cb335a585097208180153dc205909fce0d24f18dac2e854758bac

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7f83c392b110271a633deaf2cd216e70

SHA1
27952cb601419d09d2e1d31f95047d74229b5941

SHA256
e9ad10a6d5848f84b4d5b89cf4f477c49e3580b413384d7c2490fefa593425a8

SHA512
5d5f42e2a1164bd6fa5b43fd7470f963b62641c78accca0f65b8452d59e6b2b05b6b58364b9c139423b5bddd8595b55665a816019590d6d4b7158b9ce0129973

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f427e6fd49cff310f89d2f2e0cd0c9e4

SHA1
888108d2d305c0cf02145e68ba80729b4fa8d7e0

SHA256
e66c560f22fa32451f25977df69ed6b8af3e441ddc6376ffaa18323a0f2281ca

SHA512
28996e0371c9338eac9af4245fc5dc958fe0cea20234a03b61c6f12d7ba373c83b9343901a8273492642515ff6229ea0f158f3f8d86248e761f7279834772dba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
878d8cdfbd55c7f9d4860e7173a1595e

SHA1
b916828fe5eb5e9544f5d6c3ea7df8f68c941bdc

SHA256
d8336e2a1131ed157936d564b42f224fba2464a70d33378a465a05045da7ffcc

SHA512
b7cce273821517af1b4a157cd2dab5245552cbb99e8683cc446a231e61b399d153c61727ae678442dd1511a78e189d2aa5a10e5d481139a40899972b03d31251

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c57beafdda5f6a5c5ad37c068649e6ad

SHA1
9931ee5c9449e35a3678ee22e292f75c6adc4b8f

SHA256
39c03be34743b8ae565cf0ede87cb66791cbb9cd502067efc14403eef98bb768

SHA512
ec7df4889e89ec08f3574c8e11fe11ce7cf31e4f695d860b8f1188d61f70a3e8d3b27697038870e838373957e768fd6ff3a50b218af1157670ee3f05343c02f7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
17fffd346099de816d475e1c3fc11419

SHA1
7739b37e143e923b7f74f98ffe20ac551d287a0b

SHA256
095f5d85971dfe9e2c9b71273a0b359214960b14481d99989b609b017a3053a7

SHA512
26ff55030cd419908950e9724addeafd711405e15c122effe020b399dd7bfc9d2bd43a938749254802a513acfd4485be4d7626396b70d72b12f562b7d5b69b50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0a505a0df72a479ae2a192f52d9c8f28

SHA1
23c96c7a67e395f6406fa0c7934fdc8f945f870c

SHA256
70e21abd17bdeb611a339d097da55bbc69e7693dad5fcfac03b97b9948092339

SHA512
4fc2a97df3f622db81a516180a3197ebbd526209945684a8db38da9de147f367ae596b85fee152924af40b426c9eb088cfb20e4d5cbc972fe3850deb2a7a9efd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
af344663564acc8d79de314080d8ade0

SHA1
7d94c4a55f6e7a32292c9d2b730d7f6847efcc29

SHA256
7b7eace26de275f8af21286e76a4c7e7d04555dde0e8d3f5603746939800f06f

SHA512
8447040dbdae5d73c28b65071fd9bd8f9252c4684c20343a388df7d320cc17f603f85808889d45b70221aa095db524f9be41834e5fbf0ee31232fa38471787bf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b45d9ccd15d0ad30e69e1beccfaa1ca7

SHA1
08065ad76219538eaa4953b098ab43725cbb0c38

SHA256
4ab5db9d8b04c83e48b70acd8b7e71a2b9a567d3a0168c085442fb0fb66bc292

SHA512
052eb369c6e93bfda8f7dfe859875bf0408cc9ae226e2c84ffadc119667c3367b9ba5b306d54b67a98d07d1f3fa50a5cfe5a76bcacb66b7fa105e8cb71651b72

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
da7a0a6e18071745fdd922a21fbce18a

SHA1
e4b3facb0f6638b7350bc9ec2c032ebe2837812b

SHA256
42079dc36ad46faad8c8d957fad7633759f8df3233b666e160ae051049cf1902

SHA512
e4b3bad9667140b965596af44ba3881ba4f2d771bbaa2ada8dad9ab339c78e0ebf42d41086578e1aecbf32441e719cb2dff2ee13a45906b16582c2aeee755b08

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9e1ccd6deca4746c7396a833eadd8302

SHA1
4cd7101b9b2335dbd5d6121e54c2c425c756e9c4

SHA256
be4de2c659c19d9352f587576ef91d010dfc5404c8b6627acac4276a8169c065

SHA512
5ce1f9b23d3956e3ede47550b7491695d14ee2642b0d091a7bde5168e679e25efef91ce57782dc7b990cfeff20391d54d06b6d0bc1eebc4f0e99e8fed43d3e35

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
94df9dc5e56e93d2e841223340ae33ce

SHA1
72635b5fb3702b5b80275529d17fd3746f90e677

SHA256
e95c5f5be941e68db6c20c32b4f960cd0811b791dc8fe02cac332dbbd8bc043a

SHA512
e8ed8e693764d146ecbc2ed579f2ca0611f3690d3b1a5cfea26306323b71cc08fce38d6c502eb11c57c2bbb3e4c9c90d4852d8f3d18a29d0ec7a54b8c9843413

Download Submit
memory/264-931-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-922-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-928-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-918-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-914-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-912-0x00000256838F0000-0x0000025683900000-memory.dmp

Filesize
64KB

Download
memory/264-933-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/264-911-0x00000256838E0000-0x00000256838F0000-memory.dmp

Filesize
64KB

Download
memory/448-28-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/448-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/448-3-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/448-0-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/448-7-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/2128-164-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2128-253-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2128-150-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2128-326-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2880-209-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2880-372-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2880-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3128-112-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3492-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3492-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-149-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3492-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3700-182-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3700-361-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3796-236-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3796-135-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3796-142-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3796-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4032-228-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4032-214-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4032-518-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4244-515-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-177-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-174-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4376-116-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4376-117-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4376-206-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4376-126-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4432-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4432-75-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4492-41-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4492-109-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4492-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4492-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4660-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4660-114-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4660-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4660-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4676-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4676-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4676-74-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4676-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5068-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5068-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5076-106-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5076-104-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5076-79-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5076-89-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5252-362-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5252-728-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5328-685-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5328-237-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5412-733-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5412-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5560-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5560-689-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5824-339-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5824-695-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6000-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6000-699-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6116-346-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6116-723-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download