77f29ccb85d1011cd3b49d65d8a758942f8f2813eb38d0fceede6bdc482d9883

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
Size

5.5MB
MD5

a0de8acd78850af8bd564e2fa01ffff3
SHA1

16c23984711a3762ecb7e28bce0fb5e3e92e714f
SHA256

77f29ccb85d1011cd3b49d65d8a758942f8f2813eb38d0fceede6bdc482d9883
SHA512

5859f01a8b039c373aecd2ac2a7d6acc1c40987125bd113bade794b267dcad3fa8875df45efe97bc0809ede3df95fa9b3319d2db16782054214390f05a51c57c
SSDEEP

49152:JEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfg:dAI5pAdVJn9tbnR1VgBVmmqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1200	alg.exe
1924	DiagnosticsHub.StandardCollector.Service.exe
4176	fxssvc.exe
2632	elevation_service.exe
5284	maintenanceservice.exe
5476	msdtc.exe
6100	OSE.EXE
5316	PerceptionSimulationService.exe
5128	perfhost.exe
5736	locator.exe
6052	SensorDataService.exe
5668	snmptrap.exe
6024	spectrum.exe
5576	ssh-agent.exe
5644	TieringEngineService.exe
5616	AgentService.exe
2304	vds.exe
6020	vssvc.exe
5184	wbengine.exe
6160	WmiApSrv.exe
6300	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8833ba78b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001edcbbe7d16eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e17b7e7d16eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000342e6de7d16eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a95574e7d16eda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133540986090471309"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000488389ead16eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080571ae9d16eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
2612	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
3280	chrome.exe
3280	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	996	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeAuditPrivilege	4176	fxssvc.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeShutdownPrivilege	3500	chrome.exe
Token: SeCreatePagefilePrivilege	3500	chrome.exe
Token: SeRestorePrivilege	5644	TieringEngineService.exe
Token: SeManageVolumePrivilege	5644	TieringEngineService.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2612	996	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe	95
PID 996 wrote to memory of 2612	996	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe	95
PID 996 wrote to memory of 3500	996	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe	96
PID 996 wrote to memory of 3500	996	2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe	96
PID 3500 wrote to memory of 1568	3500	chrome.exe	97
PID 3500 wrote to memory of 1568	3500	chrome.exe	97
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 4408	3500	chrome.exe	104
PID 3500 wrote to memory of 1756	3500	chrome.exe	105
PID 3500 wrote to memory of 1756	3500	chrome.exe	105
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106
PID 3500 wrote to memory of 3548	3500	chrome.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-05_a0de8acd78850af8bd564e2fa01ffff3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2a0,0x2e4,0x2dc,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff893e69758,0x7ff893e69768,0x7ff893e69778
    3⤵
    PID:1568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:2
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:1756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:1
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4744 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:1
    3⤵
    PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:5704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:5800
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5636
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7478a7688,0x7ff7478a7698,0x7ff7478a76a8
      4⤵
      PID:5660
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5796
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7478a7688,0x7ff7478a7698,0x7ff7478a76a8
        5⤵
        
        PID:5812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:5912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:6056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:8
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4816 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:1
    3⤵
    PID:6040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 --field-trial-handle=1868,i,4200963543926982028,11082204769068016967,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1352

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5284

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:6100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:6020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:6300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4796 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:6592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
5c181afd94180dd1c4fb0fb54059b35c

SHA1
68ff371e9f312ea6db5a4137925d1873d7cf0ae4

SHA256
926c6ca074f0c5a5a93ac9a4a0d6108e0b8dc3d7ba0ce120c58f2459dfe5a8ba

SHA512
37efbfc5970a2090ecc31f24b9219aa345e6810ad669a136bb32e520c64b59fd8aa9df51cb6f54b6d983e813355d17ee96bba5d7062f5d65ec864c42e0a11fe3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
896KB

MD5
0109ba21813eff17037b48c4bc3a0af7

SHA1
8f1e6de51458915c985ef8a117983799938c4a25

SHA256
bd8d1e28d0507ddb96650c4556a3526bc58ff7faab2af1f86df9655ba450525d

SHA512
5eebd99853351b38ca30b208416f3ec6a2e363758979e385fed60e9dfae12d89a5f9a5c008571fef0747819deaebfeb4b5ac5b1d5514319312bd7ad6a99f7055

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
192KB

MD5
30b07d3cadd1dbe614bf7bc1aba8e529

SHA1
ddf9710a455c1eb9f45ce9c30e63204526369fac

SHA256
12ed175594ba3b13a1eccbc9c5a964ac712efcf40c3eaab0d893bb41ded4587d

SHA512
0bb86a9254ceb98b6b16d4ae2163d281d7dd249740ac0e8d044aab5b63ca78e79f3bb8b20d0cbf195ce4995eaa25c2520b5e66be907c2123374f64344e8313db

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
448KB

MD5
2e3bd27f24648df0bb2c22fdc3940329

SHA1
4360b90d93f52bc564931c83732ed30786733ea3

SHA256
dc857e37b8b708c2eb7674bd697b30e71c95aa38a36b09b8ab89b17bff56bf3e

SHA512
8f9759707f29eb9b5eb34e6ae13405aabf7c239ae71aff741b33f3ce8fa7f4993c8733021953555b2f8c198a64f1ed7f67c18debd34d2f557d0b04636d97d80e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
320KB

MD5
df1e63a682b4e6b4c43498b4fb63f7ce

SHA1
70a1c1554a9ed3bb1a0ade84b9a4c05bca44d548

SHA256
dceabb0c4fe7dfd3a4b963d1bd5efe217c7845b2f4b5af744bcde8ebb2f0664e

SHA512
aec441e4be7107f989977a5df23b96967af350cd9975407fa6497d30457d28cf5e371195315b0549965c05d1824051a133005b0a1d29982da3c1523f044858a8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
436KB

MD5
14ebd72685ffe71ad2717e7bf4c84a11

SHA1
a9e80378b48ff7377a299f02d5945268aa8b804f

SHA256
ca8a2cd9ffa1788ca988053119c0e6d676bce854a73a7e0767ec71a542c6a3e5

SHA512
1253e350ff8ed014135e04bc5ba2b1ff6928629e27baa245cd1823397925c64b8bbd94847d6bdf96aa33a04596b4d4a2b8dd8f6e3fff2df29773e4ce80058493

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
304KB

MD5
789a3474a531881a309773b196a633ce

SHA1
9964df3e2f18f8f884e0689ed1ba016b46b742d8

SHA256
adcd732511846984dd5c27fed4c7d809629abb2f3cef05b506ed827624f7a7ca

SHA512
f1ed0d8262b156cacfc993ca7c6509a524a6578913bdc863bb995bac69468557242522dbe27e0fa2580001900dbe31479ea888fcf1f940b25ddf6f16a4e436e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
192KB

MD5
e04d1507948641f99935bd633b8d0f77

SHA1
aa9c98a11d0d538a6c9dd361f07cb1e46a1ddf9e

SHA256
08c20d44c55a570afb5464718408968fa624adc195ecd9e4385fe7cbb20ae2e5

SHA512
5931900de5255a87cdb49100a44c5f2ca86e2d48e953cd644dd757360e44fa22d71f8a11fde20ae8c51d2e8f76410b8fc2eeeda6fc6f361e2cae48fbbf51a613

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
304KB

MD5
2524fc0c3325b90c468b14c9a03b485e

SHA1
e2cb44e684d5e4c20cbfcb584036a87dc32b32df

SHA256
5f9c75ed95df679db3183bd0e9b12a0ec7374c9ff8014c70d7c97a830d1528c6

SHA512
2a9c02154325ff928f95480ca384a19b26609ba5d84362ccf956062d0766784136e5a7dfd4fc7a57f165c945e17bd15e6099a458248cd05f5e680fb24448475f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
256KB

MD5
b763b56578b84f271936a15f48fac450

SHA1
c0c8f463fa66f075cf1cc795e9524a0e7a9e3b08

SHA256
298e93f748153b62938c99ee56f9f2a0445576a9307f961636e8f09d441ba760

SHA512
c75931905d7409dcbae8129615234703e7bf0065405ab506953c590fe0cb64c7eb78b48fdc7830e6783f879fc2c19e8e71c78a3b50d8f567b1039ff007e71068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
261KB

MD5
f7dce96c9c01dab7d9b967ee20495b9c

SHA1
ad1cddc2747168f348de849fd4cfbe5a200646da

SHA256
b1b1dbd4b10abfa40da711740bab10236cd3caa7d34b8664a80cffcac6b60932

SHA512
ea467bab2a4a6c92b6f7f11b6140bcc50bef6e968011942ca16d2f4ee4e86ea67597b48b6b48ea2852405d36b25f76d93a4727c391205dc73e2449d29ea29ec3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
256KB

MD5
8776c4915413e1ec98229d9daa6d0fcb

SHA1
2c1402a7862c76632204623d9340d8d97f8a7191

SHA256
b0fab415638e23a9567a3a9ed7c534df8312925660f2f946b50a89699266a48a

SHA512
8e2c35ceb8898c568ed86e250a6955a7475efd612dbf7a4c6f5165ed59470b9e041f4a99a2f13553b0defe49e265f356f2d89d8f9385651c97840d491233f1a7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
192KB

MD5
8ce3c80bcdebeaf598f855cc087af2f7

SHA1
7d6740cd013218af9a845d0c411e9a5a37fc1309

SHA256
8850fca5d9d46ba941b06e44b7f7fc571bdce69f3d289bb49191b681f37f013d

SHA512
9d54eef125a8364320ca3ea68423d37fec34b40c1da21d442ef60f88f265eae2b7e03fe8f8f9a4f68650ef78ce5854a098c4bd1ac0783e25b8c5e774692d8305

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2092a41ff7b81b412e425200f458ba6d

SHA1
f2a4e4d4d3bffede904e008e776fdbc809bac269

SHA256
b463fdfe033054ff3478550cad8932006fbb08914fc5cb7ad930c4968464ef1e

SHA512
3cfd6a37777d4da22530f347792bf2e9d49e367c7b5b75bec9b79c977f7c5c77e50dd511083d5a567c3fb67efdfb99dfa79d208c4dea7a0ab47e8c47b0a86976

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
256KB

MD5
f02747b2ea836a86af4dcca61fd9a5c7

SHA1
a7f5a58592f9c35b30af3787a4da2e7e8ff26010

SHA256
3eee7e914dec5047a30636485feb93c9f93d9fcd26e9bbf770382fe4b55bc01d

SHA512
bad9ffc979898e26c636f71cefc983ffd61c998e45ed09dc047e8685725642aaa4b3e076d3e591298d05bf5997c6c0db14d0110ca67311f1b2337b81084d6180

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
896KB

MD5
a2f291526a1b268f70f34e2a7c7c08dc

SHA1
cf82d1200cad225b5a95fc8e377a239842382b82

SHA256
1e0b658243c3d78d82793b5d514104dabb3342ec7792e6917d444e73b81370bd

SHA512
f6896ffe96db8b68a520b1fe3d6a1b55cb413917c0d6e736fecae0d878cb408b0a3e139d34998e58e9a90063af0be6d6a1a3c57d13c7791d053fda9e162f972c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
536KB

MD5
cd2a8ef9c187cdcdd907187b6cac4dca

SHA1
a22a29f4b4ad265d40255079a2fbd895ec70e1ea

SHA256
3b94158c7fb4579c3b99a1950506963a1ea53d2f7988a135110b6c7ee4f5e1b5

SHA512
fad131ed22495eb28f68c649f01855b4eae564eac7fbd5ab8f04f37880a8afab19fc3113ebfc6bf4f0cddc3f95ed4e305661c097fa5d605f0286541480edf525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
836e01210ab3f635bd07a7bb6ccef4bd

SHA1
d3414082543ef26f6269f544da99459dd57ebc9c

SHA256
98613b7b4655014defeada086e638a63ec009ca040f308531a71c7779082754b

SHA512
f3357fcdde9dfde68b2132b27f6db09e40249274b91ff988b7b2dd6503c84fddb852933ee6703df45583304a990ef991be7326a1d2f007ed7dcf8629b36dcfab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
43d5be92753f6963ec29ec20464c531f

SHA1
f2adfbc573ffd79a8c467f3e5adac57654f781f0

SHA256
a5743eeb127930c6735e8ffaeeb66445e7af623edb2fa0dcf75e9276abb28f4c

SHA512
aa0c2a83fa852b4371b418c78850efba23620e4e03ad7eedd5bc2c6db9f8ad25c2b6a8a202d82399f84b1b7e7efccdeb31e3a071a0bd7d427f4bb9b52dfae1a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ce5577de29ac87626d6196be06cd184a

SHA1
af370b727994a83cdfb65d5c95669dd7e9c2e3a9

SHA256
74ff8edd3c0ed92995a3e10018890ea210a2239c4e5f7470c5fadf4b084809a7

SHA512
55c94cd267452fa2503929b05759234e343ff45d189e60a2f2a678c38f7a589d13661bbc6f67425d14aa68948c1062b30760cc5bbbcc417cdf7bd15199c6f653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3574a44763eb6564a3288acb5493fc10

SHA1
ceedc612fc74dcdbab5f0586fa8b2c7ada48eb20

SHA256
789ee630a62c90af125261056ccdd7edbd48409ae0de44e3bbcba70d3b6b89ba

SHA512
1e31441106cbf5391855ed54151ccd6157d8a51dec223a4f953dcbb0d227332af70ce2a34a35636d7a1aa504489e319e95d249861eb6a20aaacb9faeeb577d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a70cdd069ad08c746ae4c7ad21e76c0a

SHA1
644dabad5c4c4a611289ea78d47b63b7e05d9ab0

SHA256
4f40d29a1f5b3aee63d44dcd265e0f1e9eb5ba0db545184d380dc125b96d9235

SHA512
481bf358c92cbd6b953d895933042d7af2e5687c30b74011f58767b13fb5eef9d689de65dd165f3e2d0bf884fa2b5497fa244338fb64750cadfb96447a0f4ea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe584f34.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
2aaf2b0bbff5704ab0c1c997d8b5899b

SHA1
4c5dda7836a5c916b20c39467c012a41a9d69011

SHA256
b238c9b2ba9dfd5b2aefd3d0d40044eaf8db0fa7e1f2fa61d3132da6107c2156

SHA512
45a561710e39de102523ddb5ee5c64b9bf9f457f791dfc68b6774d2971174668257c1157e192aa69c4b6e328218ccfdbdbd97b61303d05d57e9fd7e857a81cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
365d14425e0ca41b205029596673d606

SHA1
d841ae58a2704936d622afba5feb5b572301cc24

SHA256
1c9a98738c6aeea62bf4dd070eaa5ba9039e3448e3f4329503319137b5d5e5c2

SHA512
fdd4fb37903c68942d6ffc95dd9fdf72dc883790b4540129e129242891e5c9e0d98e175f23fd5611ff9ced96823a6631c2faa085f6caf0bb2ea6b2fda31dcd7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
73c3807745c51df44f73cb0b66e6ae59

SHA1
2a8087ba62cced2b1b951f93911327be550f5cc2

SHA256
32e1a471aba27fa8643b8c3394619d94eb54dd274372bd34040071c2684a6607

SHA512
f935530f1745f99d6ca26afc5244b397f6aba6a8d5c5bebb1d0ccfa45ad6b849dc6d1debcf1f5c608a378e584f5015f4ab29f7bc2419e3b6b1ef2d35fb57c422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
208e08a33ce9aedaa9965313cb41ba60

SHA1
c2130e595ce95ad46bd6a54c279b9de510e19312

SHA256
487253a02c1e86ba7d10625b130dbc63669a17912875e9519c54fe0eb609901e

SHA512
e8e436bb3d1dcd0b46481826959eb31126c0b7199e1f604a91d63c465faeaa435bb55b07ab8fba93325627bc0b95a01ffc3f8f5dc9a62e44a4ec1b4893e6542f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
26621bf36477ff38f5a7f26b2aa3604c

SHA1
9ef1cf113544f36f65396e5012817506ddcb9ec6

SHA256
05d7ab2f6795d17c52928df3550c35dd3781483e5de7b393003f2b280ce293c6

SHA512
3ba8cb697e9a869e4141dbb36ae0c86410d310b8b75f7968c46d0a4c9af91f93df7dc8d08a90ef60be9438b7daee4b813cc80a6966f0ace75a4c458fad503817

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3500_1649839582\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3500_1649839582\fc863658-369b-4ee2-832d-2d08a5eb7588.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\8833ba78b3e2edcd.bin

Filesize
12KB

MD5
740287d66d5625c29fe4ec2dab030ca1

SHA1
d304f33e4a35609484fcbbab28b64dd78e775d18

SHA256
b6eb47ddd1a17e9273686e9b55cb21b13ef21b818460ca03e6710e020a313ae6

SHA512
2d16a40ee84ed52b8422302e1891864fb709fdcb9bcb9b4da56be18b7eee21ce1895d31af8b45bb9668f21a0b53d1ec87f3434a03cce5c00aa133d2add5e14e3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fa0cf7733e2f70624c73cff4d0a68e21

SHA1
2ec83fdcffc0d4481db9963c77d6125f80d7963c

SHA256
9ec2b8993029e6dcaff6f9baa214404d13e37e83d069346e83a6707ab44f9062

SHA512
56856202b5ec89177cf4edea8668ee156a8bdb54b67d42b909272cd3b0cc1e5e640fba7c8301d4889fe81bdf9d1ccd1519dcf02454ee301ed6e8e4d83109b96e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
971KB

MD5
ec9579e0b7c19f8447d80c7429041308

SHA1
d67868a6c17c7a864b97486a6f2ed42812ec692c

SHA256
718cd686011053ebdae76b57a63b531a8ddc4f24f87b3e4039c5f7addd6dbcbc

SHA512
8222cfba0989604da83e796ebac6dd5c8e0dff8d8e3d536d79e8635de0f4df02678cb4c66f739cd5ccf2dea5bf574e87d0a6b4d2b399eb1271b878bf9c2ee4e0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
696KB

MD5
c057b5961a2a8669f64595b5b73a38e3

SHA1
2ea43af309116741c2f383af221302660ac526c1

SHA256
89fbe514579c8919b98db795ac192f60b0bfaba06a4cbb892d5d8e165fe67d2e

SHA512
4973c61ea7b5ac7ef38a1737b31247d09219411cd07f871519589959ba9eed4dbbda0b21c115958343df41db90b2b32bb299bf2e63cadfb84b52a30a47d28b10

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6758a37837519cce0a9e1c5c0a25e0d7

SHA1
7bc1d158383fc355a8c2c64dfb60335c003ac3c6

SHA256
1cfe53946b8c7abb25844da12136d4c8050d04a3d8123e3c6ec45fa497f017f4

SHA512
6326c8e6a821f38e7fcc4cccd6551c8c93847367dcee59e33dcb89b28e64e5b9d370f7222a3e5094a302a4a9b4584a2883c1dc4ca617fa3057746d529f4c02dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9bd257fba69c45e824c9da80753fa970

SHA1
40495a2bd138874f66015240cc66e693ac92f292

SHA256
7bbc7bc9e684cc75e71dc9178019c2ebeaa735480863ba835bff53046c06e013

SHA512
5b4e98cb7ca43dbb9a07ad4081ffda60fe9a41e74da42fd0cb3336deaef24ed2481e435f63c15e9bf6653ec761cb6b4268e47bf478d2c301a8b16edc2d4a537f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
637KB

MD5
1f8bd4d48e664f0243ac9bbe80803be8

SHA1
2995d15815455d67b21b1d020627fb61e9fef8c9

SHA256
8085b0e21ba0dba0be1c05e9c8401b68ef90bf4dfafd867b5cbc021810f91a5e

SHA512
dfe6900de7b108449159f947ba3e98451bc1e87d3784f4b7b4d4deb072e6e0aaa0ddce58adb6d912d831e6a5bdaf770f7b2834173d9ea1b436e099da403f243e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
826KB

MD5
8a701d5ec49bcdb198fe3d1a3cb518b8

SHA1
7a8ebee64553b1f924997a920bf9e3392830408e

SHA256
55e50159a5f93545f22d00c75e1f8ed186e24753b7d832544cc57a0f80a9e3c4

SHA512
a441dbe693636817c503316a747eb05743333cedfecb050e8f19b08e91b182272b5c53a636f1137dbec1a45dbe70cf95ee6b87b42c259219deefb0961ad50abb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0d985e2f179eaac7c3777e8997abd5b0

SHA1
0498f7cb53254986d3ae07187b40647a8bff4a9b

SHA256
9dd464683dfee1b9887c7cd811b37e00884ec4534b5f2f0341147caf2e0183d5

SHA512
19ea6da892eff23507fc1bad83d56031ec8ce0b9bf6d0268d3c5a63d9958a6d4caecd60a5b98ed5ff442aa9f58f1e67e6bcba0c16933653cc690901da71df530

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
239KB

MD5
ccbb06c9869d1fc25c21176e798898e6

SHA1
a2a1857af1053961fb951eb855fd18720d7ae42c

SHA256
273d3bd3cf146b3289ff894cb3d8205b6b2f30a26e6e887d1d2b8248af6c9a97

SHA512
51a87389ee91b060a4447c3df3a2fea860e6beac37a8877cdad14cf24077dd59f9054a42487199e0edac1fed94fa85d4a5c5d4f81ad4d3760a82a8bbef70c34f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
783KB

MD5
905bef3593fb3b45e0620119933a97db

SHA1
e11385c76859e2160e7a4697f5fd28795a22b2f7

SHA256
06175850eeecf8173da4e77bc2a37ecbc363877da4449f60909b836c5d9cfe81

SHA512
47681a679b84d86c2f21ba98327973d35e07266efff9f382a31c0c10978a189a6395b838f11b84883302f7d99dded9a671454e2f7950333b4d702ab295327edd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
84c0371649f19b60adbdc2139cb600bc

SHA1
27c96fc71c6fa652d2054bd871326240c8cbfd3e

SHA256
5f46993730afbd747743ef164b7913e02867a27f7a36a0b03eb592d2b74cc34e

SHA512
b45c0f7fe6780e6e392f5c3a84f9f2ba9fa0db601bfc2974e3fe51f6fb8307441da3d5dfd0ab2eca81027982017baa7d2085c110d60616594cbc2d92b4fb2842

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a5c066aadfaeff9a3c93c2b8354eb789

SHA1
3a2358b3702e607f989eceab5fda11957d54f9b2

SHA256
0c8aed9c909f02b5e1202f88290f91ce540200a933787625d67d650b5240a98c

SHA512
abed5a60ba01d2a73fb94c1ce234c94ee98e13510257a51d7dd86cf3d25307ff487e141f65fd56e02d4e1108a869921b9acf4ed243c80ed9357bbe190b6bd8d2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
118KB

MD5
5689fb43688341bc4544805a021fab89

SHA1
2832adff9219a733384c4d432be8226202a28f1b

SHA256
88e8d4156771b6dc468e43002d6965c9a2016c25bfdacc6411a0e8d9b4a6ec20

SHA512
c6a33310a82a455b96ee51ad7ae189c25d2e8d7d021484cbda022b9a16b5c78973fb43f1efd8e105e75a1a7ea993e3a9e02230bf1c6aa1f4dcd1cd6c51e47aeb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
269KB

MD5
06cc1c16c31053cbd19313b5f585b253

SHA1
ec2ed82aaaf407d8427b142137dc7dfe2ec44ebf

SHA256
ab2e99769569e8dcbc635ce7858937e08f20df879801e22629e0e5d30688a5dc

SHA512
08b72fd90889d574297d6c1e8009bb8dbbe4a1fedfd8e16714fec1c2bd590dc51505e88f18c87233bd9f508d4d47f589759fdf66af6871bea3851919d131e533

Download Submit
C:\Windows\System32\alg.exe

Filesize
760KB

MD5
d32d1bacadf63d752eb4228ded0025a8

SHA1
b8a922f9c0500dc1076023f67e001e3ec586c75d

SHA256
e40a08d9dad69f430e218ca752351a7680fc65996766393b914214413d84c801

SHA512
d3763390d74b36b81279a595929501559ca1230300f91d59085be9db4de8bf75d2a519a47842287847d1b7f3c893923355e24771b92e2bc49fe0ca064f3a00ba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.1MB

MD5
34b94ec292039ac6f9f7ffb285c11178

SHA1
c3b5f19d60bd6a34ef272101f02326adbe942a7e

SHA256
03e1dd9c3c383e4852f85632624c2210fc5df863a495c07b6a0ab1d9eaea6bd9

SHA512
b805aef39f7e0998f71318b9290e66dccc9d03e4ec6944b021f7b442a07ea285085669614f66e0cf96e09184400b25c5873874fec5d4c9f03d653bb5444df374

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
df12925ebe4bdc4ed1972c0fa58c223b

SHA1
29dbac2fd448fbac62bcbc5c33eb698c8ef338f8

SHA256
de46be2a17d1a5be5853d23c1e7203f5ef22eb263ba18c8e782db6ac7e7e0781

SHA512
f3db8b18627d7fbac552cff0bc3ca91a0114795869811d38bf5f9188e408ae564fd134dd280d9666c22cb313c673fd800ef74b6889583dbe57a6281895f1fc0b

Download Submit
C:\Windows\System32\vds.exe

Filesize
221KB

MD5
45f97a06b67eae74fb5d8b653e8d944f

SHA1
1b7a6e559850cf672aba0954687fbedc0d6a187d

SHA256
3b3261350255f14e729a6fe8395e4f08336cd5edb48fc4bf40fe8875d0db20d4

SHA512
1a0fb61e323b4be4616bea891bb92f230ef77dadbcf39b12af950acea6a77be96326f6c25e0588605f932ae519757778ea40661f125e63a3305fa58024a6fb90

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
443KB

MD5
f44ea0bb61073d1f24db8927f09be3cc

SHA1
d0b09ccbb13e169fa77641c09fb2f207f73aeb35

SHA256
08ba087f300698a050e67db48a1aff138fa36d2491e631ad1974e88cff50abc8

SHA512
1d9258ac616945c6240987aebd1728d96af1553fcc36be04e363bcf923c9c25594518c72282f1ca4c6d86a760370f0fa062db435c14ac436dafc211834ac5247

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
256KB

MD5
1c370d7a7d9d4aed11002c517fce80a6

SHA1
c37f83a7479570702e87c030ef19fe6b74de1075

SHA256
04fa12ee0ef838360907d130f56f05954d08b9ef6cd544e1712480ebc281d69e

SHA512
8b6dbc2d14fd0195ba09e6d5d2fc3b93d43e198db1e4d1668b8a83f7c467a6c0057db33217332872257b0394acf95ea8b116197752158555fb6e2b6bee5ac4e1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
714KB

MD5
38ee0b04c2a5c58d31e45fb11c7178b8

SHA1
dd06800d5f9a032c2b353c83f7aa2318ab58c0df

SHA256
d5957908d4ac793814d5529e85da3578555bd983b72446be4e16bf7b276b1585

SHA512
968370291593cb114310449a58a71ac4f1f6a6e7ed256c7e34ae57ce5a123cfb27f777f8fbd61c4e643234c24f8f5f60a54821344c4c0ea7a310fa08882d9b71

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f86c831383dff0246eb7df05cf68d36e

SHA1
0b8c28da2fe3782e70191f4d1c4a4520737d5a88

SHA256
58bcb594e421fb8d88d99101806efc0713c4ecae90e1651375eef0e7a51cd9c6

SHA512
7fa154b0d379856bfefaebb965b2795fc3eaf7b56c15421a6c91269a09a5d563152885906512a424d6136a0128538a08e9c9b03afbe3efc578468f52403f86b7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
936KB

MD5
5b3e402c92cdf3be364f11146ab45d05

SHA1
fb7f7fddababac61f1659caa79bf57407a6d5e34

SHA256
4fd9550cbd06359eac736d39abe3109944799d5fc7e267675aac4f200a11cf35

SHA512
72957547600076896473db62ff6085d84db4d62a377778a9151f203fe48359a3bf63bb446d305598b90e14f9d7918625ae710a1f38109b170e79b466f048ff40

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
875KB

MD5
3d1011b78b4f3bbfb83d478626973554

SHA1
5417fb0ad12ea8d9c91e7d9f5bf35e4720933948

SHA256
ffa84fa3cd303978558cf73c5d8365af3bae3b3a9e84634d381db794d657ae81

SHA512
fec38126a934540f4565591ad4a1aaab01c434a02409f363f964e620683551a9a0003b0086fd61cd9734e61a3730ea363e8eb328da4f7f4c0be05ca0d1ed064a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
766KB

MD5
9f059fa5c8357f3793397e605dc7d2bb

SHA1
dff6ff894228e98fcd60469657c505292db58d82

SHA256
377ed618601639ca141086094e61732653c4efd97789dd36872895416c046be2

SHA512
8714e2d69d724dc59251cccbcaf99bbe9563044bc597fc86e66bdc79cdeb1fd8b86aa46a3bee551d2f25360ffe5b89eafe925e069839c5560bdbba309752266e

Download Submit
C:\odt\office2016setup.exe

Filesize
331KB

MD5
2358fde8721b5acad174889b0d633bd9

SHA1
fa7d90a72c9ef23abae0c02b314adc0880a7f0e9

SHA256
50756dcb033833caddfd5e31ebe824724dfe07c1d9739891b9e34124b04f365b

SHA512
5a69f2f4ba1abce0b6422e0b2d9d1ca3e82db599e92bf7f03b4f2adc9984db880567278ddb537578609cd0070978d1e46e88805943c68b9190505eb45ba5a62c

Download Submit
memory/996-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/996-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/996-8-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/996-22-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/996-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1200-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1200-33-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1200-46-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1200-108-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1924-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1924-42-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1924-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1924-43-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1924-110-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2304-418-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2304-425-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2612-96-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2612-12-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2612-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2612-19-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2632-87-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2632-94-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2632-88-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2632-187-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4176-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-61-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4176-75-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4176-77-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4176-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5128-382-0x00000000007F0000-0x0000000000856000-memory.dmp

Filesize
408KB

Download
memory/5128-198-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5128-312-0x00000000007F0000-0x0000000000856000-memory.dmp

Filesize
408KB

Download
memory/5128-356-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5184-452-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5184-444-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5284-117-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/5284-101-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/5284-114-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5284-100-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5284-107-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5316-333-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5316-177-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5316-189-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5476-119-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5476-142-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5476-306-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5576-442-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5576-373-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5576-383-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/5616-414-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5616-413-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5616-408-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5616-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5644-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5644-395-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/5644-387-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5668-347-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5668-357-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5668-416-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5736-386-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5736-322-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5736-329-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/6020-438-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/6020-430-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6024-360-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6024-368-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/6024-429-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6052-343-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/6052-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6052-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6052-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6052-521-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/6100-320-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/6100-173-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/6100-165-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/6160-456-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/6160-465-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/6300-469-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6300-477-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download