61c18087649ddeaf1755a90b9d63a738b14e85ab9e5b3c9a742b6dcbac438db4

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
Size

3.2MB
MD5

74409e0f59eb6d18ce1d8862dfea71e0
SHA1

9e82adbb8761c948e6a48ba82ab473d72b77ac62
SHA256

61c18087649ddeaf1755a90b9d63a738b14e85ab9e5b3c9a742b6dcbac438db4
SHA512

3321adbab743f71232246e77aa8c5af8a9282e8bc6cb720d6041c4a438b0c1402ce7de1f4a3fc1b6dab632a50ecb4fd098e0bdf861a8d8e541a812e2758d7587
SSDEEP

49152:T5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbwwTU+elDmg27RnWGj:HNhS4Yw8OtD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3920	alg.exe
868	DiagnosticsHub.StandardCollector.Service.exe
3372	fxssvc.exe
4388	elevation_service.exe
2028	elevation_service.exe
5196	maintenanceservice.exe
5356	msdtc.exe
2248	OSE.EXE
2232	PerceptionSimulationService.exe
6128	perfhost.exe
5952	locator.exe
5400	SensorDataService.exe
5592	snmptrap.exe
5744	spectrum.exe
5808	ssh-agent.exe
6036	TieringEngineService.exe
3688	AgentService.exe
5392	vds.exe
5732	vssvc.exe
4920	wbengine.exe
5216	WmiApSrv.exe
5160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1919790eb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086cad6b65487da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9f364b85487da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000070cfcb75487da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3cf2db35487da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014731ab65487da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022fdb8b25487da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
512	chrome.exe
512	chrome.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
5032	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
7016	chrome.exe
7016	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2064	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
Token: SeAuditPrivilege	3372	fxssvc.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeRestorePrivilege	6036	TieringEngineService.exe
Token: SeManageVolumePrivilege	6036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3688	AgentService.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeBackupPrivilege	5732	vssvc.exe
Token: SeRestorePrivilege	5732	vssvc.exe
Token: SeAuditPrivilege	5732	vssvc.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeBackupPrivilege	4920	wbengine.exe
Token: SeRestorePrivilege	4920	wbengine.exe
Token: SeSecurityPrivilege	4920	wbengine.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 5032	2064	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	93
PID 2064 wrote to memory of 5032	2064	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	93
PID 2064 wrote to memory of 512	2064	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	94
PID 2064 wrote to memory of 512	2064	2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe	94
PID 512 wrote to memory of 3380	512	chrome.exe	96
PID 512 wrote to memory of 3380	512	chrome.exe	96
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3616	512	chrome.exe	102
PID 512 wrote to memory of 3828	512	chrome.exe	103
PID 512 wrote to memory of 3828	512	chrome.exe	103
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104
PID 512 wrote to memory of 4400	512	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_74409e0f59eb6d18ce1d8862dfea71e0_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ea39758,0x7ffc4ea39768,0x7ffc4ea39778
    3⤵
    PID:3380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:2
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:3828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4816 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:3964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:1036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:5440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:5656
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5924
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff616947688,0x7ff616947698,0x7ff6169476a8
      4⤵
      PID:5972
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:6032
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff616947688,0x7ff616947698,0x7ff6169476a8
        5⤵
        
        PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:6136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5368 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:1
    3⤵
    PID:4164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1920,i,12386661148200206656,4179310227356207797,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5196

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:6128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5744

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6320
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
0834956b715b44476abcf180ca272a10

SHA1
cf6e8fe23ab9947ca06a6b2f35fed7ad451363b5

SHA256
e8dba877610b0ffe66de64cb5f30dfb465b54c609e9aebc97671d150420c5765

SHA512
e0554be71fba25186e24aa71f172d1be70ddce810f5e7be3dffe8a6a001b14ec6131b0d10c26680b0f9675d83e8b80d3ac0a050a3923a7f3148d8ad4c10c1dd0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
709c9d2452e68ad131f9c20f66a7deeb

SHA1
4f8ac014711bfd5a8f975d87dfed3fa1ff48999d

SHA256
7116381a00829446e486dc4b43ff5bedee1144760f03aa5a80356c2208458525

SHA512
e417892f59548665f8d3a71dc2f0f3a8846eed42339f4d61a367d7b853ebc39cb71d9ea9e610a6c68b0b7ed6872f1420398e6a5b908aebedc9848bf7ad232c2e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e64a1533ca5c16535e386525199fa3c5

SHA1
eeed2d6de8aabfe85a68acaab09a7cf2d62d4896

SHA256
e3bf4c59ea788f53c3fadc13ffec9a8e538b55389dd7cc8dca65aaf805fa355d

SHA512
8f65d0665dccdb3bff525ee4e0f192782f1cdc6d5495c9af8234a10e296a6348d3ba0ea222d65e67a9a26a72c5c0a3b6cf32581da58a778942420e810913d80b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3449886cc830484e65678c987db20cba

SHA1
4645449bbb1f29440bdc157ecadf2da007df2ff5

SHA256
35270a36b49a58a60cb46ea7a292d8297eb8a0e1c05293133a8da93b18a9a1d1

SHA512
bcfce82a867247637d3f38011e4414dde3037faa7795ccddeadceb28ff338a650ddd74740a2b0fbf6377caccf0a54da37983e6687c5b50ec86b7edeb909ef0b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
54a5146a6f8ca200f10194d148880af3

SHA1
86fca53b50001761ed3b6e3f23325a5dbeae3a01

SHA256
80d2b522fadb34824a9e0264f909e07df280e9af40558824fb7e935c23e081ae

SHA512
c61363991d80143dd8ac371803a3387bf5464aa0447e2e620e53972e16d2cda1aed352d0d29afc8b5d315e1337c96d80e6fca1aac6da18b3460406239f281ed9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d1d9378e058e6b13f3e630f112297c85

SHA1
e339981ea767bab93bb54577d9014a5a10628ee0

SHA256
0476de3ededa4a656563b967766e02a0b6f4bb7b2363af6a874d570fee080ad8

SHA512
b7d0bb229f92be3eac80e0775f55a0da1fa818305a3f8f89ed15b357f26e8537a4e5ef06df21387b76a6a8445e470181b9e29f9603152d9e7fad42879e18709f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
23ce9611724f11856f0ce3c40279a3e3

SHA1
4d6bec2f84ce1c7a3dd8f1c71260bf9de9c4cc57

SHA256
227162588135b13f8d6561731f7b682d920ef645fab68320a117f19c7fb266ca

SHA512
2bbf3e48e2d85a49a438a7a6480f27d8660bb1b37327a24216af5d8c9cb7b2c6dc8ce01538800eff1b5658807eb58a9dca35631364983cb48fb335d5c890a477

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1686b6da689795c7eb4766063f80bda8

SHA1
0edccea1c83e1886f2c7d7bfdbf03ffd3f710f9b

SHA256
61941cc2f29d8cb1d8164538ed23db24208fef1bff5826329c1cbd570c3762ae

SHA512
2cb19fff61affe9b9e3bf5d504008a3ced638bf7a3ac80a697b769e97535eadeef02eab087ea930f418ab2397d4e236025d3e5b5fc28100a13ac70494430d328

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2153e5d902eb9fde7f9abb7aca980788

SHA1
89a7bdd44244be2829fa3c122d5912c1a2b1d004

SHA256
fd2d88bbfae8f14ad191d55c32c63d4a8d98f45754090b81f8161008acd255cd

SHA512
8d110cb7260a325c53ecff27fdd951547078ab5d180d4629a6dc932d2e50bee51aa8b2ac8880cd8d5e1898a9fa083f4e2e24d759d50439b8d1d9769ada7787e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
328470c787c33f0494f17a01f57af228

SHA1
648bad09afc5a7271df023e842cc26d3e970d21b

SHA256
1df06c2513ffbb9c7689a87a2515d03a3edc1c2d41e2356f5f97b56fce6a8959

SHA512
f6b8e83b70f6a57c5d08e5eaf3baac94cd7849ff9ce9b042f5253bce240b08ab1b71e3f100224b24834ba7acd7ee92a8aa47854a40f1e10e00852cfe698d6fe9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c6b9a9392ead114509fa2b626fcbcb82

SHA1
61e09c4b388fd0a1cae89d23696491de1d1e60e2

SHA256
5c34d3ce4ad29597dcdc394ab4b08dc2d775e1d16a0f0b3e39e6165ca10149b9

SHA512
bf651fce4c5214bfc1399f63809725a3c25ec0076aa0da2dbc9c5295fcf47ea8f101e2e5ebc51bb5bf8acdd1e38b8ac8c1a5510e6bcf433a9042e24f79e93a8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5a3744ba1ed6a63ec88ca9ab63de552f

SHA1
fee49be2ea16c1ee6f4d87c5b62826a602e24965

SHA256
e4adc093450c7de994b6e3f0665437e546cc43b9461162c3a7c3b4532b6b11c0

SHA512
011c53c9a3a207ef7192004f17e5b0ae59c6808b452286e21d255ad75e18f8162195fc70551fb0000a64076b2f682ea2f9dd43fd919363a512db16fbe11a0546

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240405122718.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
53ba82d3f9c5571c3f901454acb7a0bd

SHA1
7572dc5b39ddb04451b2f60ee22c0de4a27cd20f

SHA256
d4e6f179c97b3d712b1fc0c0adab5d07f2745f03e54ae2d592bf6bef2c17a7c8

SHA512
c21d6967be27dfe769d846473adc8943220729a71d5015628f6eb71a2df299c09e5de03dc8144c49d0ff11188348e28f48a4bef5980c9b77633e6fd252c6dc6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8acd2ae7f3d73c6ef3bca929d56863f8

SHA1
2e6ee1ed5267167313efaf71a9905319a48219c6

SHA256
4278eac8fdc10429e404a05913558522eb7ac989e32cd86bed85d42d73ac9772

SHA512
8b1c6a75b65acafecc615717f5c86490269cf2505280b01de532579022e30e23e5fac1d373dcca3b4d2be51b32e54e164abcf5876d64f73a2ed922618a02bd3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b964ec82777dee53a926ad26db0def4d

SHA1
d8100beac051ca2c92d7f54766675d0a1c9ca0fe

SHA256
6d4701b99abb385a081b4a6eecd37a99b578988091fe2e3321118b5765436b08

SHA512
28914addcb90ff3cb68e39fc28f728c39367c189dfd8f0982ccf957bfaa9080a13542b68027a4ab02c4158ee9b8449dac81e4260d2a01f0ee3d61cef7ba0c6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a9a68fa9968bffcb83c5050f4bd0a942

SHA1
cbd0e7d00c8d55b3824d50be3e3b9ba712521c98

SHA256
8a3f4d336a70d70df465b53aae5a7fab87c18377e4fa2e8b5f0dcb371956b22e

SHA512
f1ba18477ae5bdd0d36563755479f4dcdcfeb264db768d486017aa3eae00b446070978a609816da55367348236fcb1bf62b8b01803f55e0bff49bbbaabaa6d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fcd208cf40e2b1db78bf4deaefb6e33d

SHA1
73d7dec3c7667af65e9885812c734d6a2ad37986

SHA256
336804b7f382a939dc9582ad88123416a3af669cff2c881d0709dfe6eb8fd910

SHA512
38627069a187d74db22520b809efd23fc1842206714b0070e92cd350a520ddf2b511137c1792cadb9fe04440be2d06b6d217a8bb85440869894e59588ce48198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4ab0ba45559b510a54eaab978c53f0ee

SHA1
1c9ec88ec15bc8463f3255421328c5e7ad48dd25

SHA256
687b5afd4cea9d876da37754e30efb2e61f4ed41605475be83efb36c5bc6476c

SHA512
5f5708eb6cce0a5394ea349876f9cfeeb0e47618882a6efdef3c9af2f3aa1aaaac86a21d5a172b0ba78cc0d3786ab5ce32bb1372350da6b433a0511b6d5d02d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
27aae8021f36e93f7fbd900e70ff2c69

SHA1
9a6e0d413d54e1f23cd9a2debb24a19f87994e15

SHA256
7e08cacdd70c731f96cb1847ddd9707e59872ec0af67c6076c342bfa5b7d42fe

SHA512
4df404013ce413326cbdb5eac2e5535a3d500f91cd4b871a18b197e309023bdf133bf39c185b71081afef5e422798fb3af9b5904770f71eeb3d5f6aeb6e209dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582100.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
82060300d8c9866e0d1e08db31ea0b0b

SHA1
440cab3aed17beadc11809fd56e5209d958a610a

SHA256
99ce93a5f1b32f44398843bbdbf4925b81e7f0d7ad6e81a7d197a92b08d7a25d

SHA512
5691e8777678750214eb981e2df787febd19e94d9be905dfa68ae5fc7885ef45f968141f0b703ae3c785add11eb53ac8e631f7115f2e0ff8e093fa5dc477ecca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
38e484cb356a5b117c82637f27ff0d5f

SHA1
1d99bca9dc577e5c8db1361625f522387107fa5d

SHA256
e62983dd0e5588742815e6cb80bd1de03030e546972821cfc4c710a430017a94

SHA512
d536b190c54177bd535177312c3919023892b810fadaafd28cb7ac28e21573846b9387eaa1db3761a95938452bf78d45b2e60e73875e1f9adc1e36da25983915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
9336b01eb3863673b510c39e789f4eda

SHA1
8814e4af5d5c5adc0cc1d95b0c26f430a77e47a7

SHA256
ac85250ca8c11f410168ddedfc38bb2f5eddc5ccf4613e8523ca2926b167ef9f

SHA512
1ef760fad0ddf0b6a0a07953b69ef1358b5ab187b21dc7ef70286f08cbda7a90c53082b1b585e2c775f4dd3f79a36139749b1a335b22db66459f3dcfa9946764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
372e8a2924d44851da6116c44f5dab81

SHA1
0a635bc2588418bb93cc98f3c125a7b6a5eb80d5

SHA256
168d222fd739a28807ac9b1613c61603af877af7f820d6a3f4ae42fb9b9d5504

SHA512
d0faedd06a097419793271f93a98e30eefeb00d70ac8aa00127a40d15d609d3745d8b7168b673fdd685d1f70a0a0a114987261e3f63b9c802f384dc457ff5d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
200b0ed23e3c7ad0576fc68d003d402b

SHA1
08efca3a3f57613bafe9655a06ff146841fce312

SHA256
f102e47a6482f5df1fa7841a87bb55a1d6c4f49522e71b13d564918f496a34f6

SHA512
d28249d6632d86845c3e440f8a9679d86625e9d7d0b6c1512e47b4efee1a51fe0f1f9172ac6286476e3c0af207f9eb7fb92b335809fd6afc4769446e877a0244

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir512_950643140\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir512_950643140\f9750329-e75f-4669-9b47-ba5a1ca9d916.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\1919790eb3e2edcd.bin

Filesize
12KB

MD5
312998efabedb78b765efaa24aa54f8a

SHA1
d6cf8dc3646ff0361b5526bd4266fca6073f37f5

SHA256
e3345222ecfe6ae616a99d27c0167d19dfb7f67cea68935481f42e1597819f14

SHA512
70540f6420ca520a614a10116dd9ebf795e84189ea8a91032df6228780ea9eb366fef412a0823e24f044248471e30c6a69da2945636f07843a50108b1c49e0f7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
841921d4dee8ba1b7c358d7c28a56411

SHA1
2752a0384a6c6750c052721ef65c3c88f357659d

SHA256
7528dde3f2abb7f9c8f7b681ec3fee08482bc76e75896a4079c63ab09ff76559

SHA512
c731719e570df126780f5f5b8ee661d26f1c13cd4c56c3692622bd3952aa3698b2e47b5948e605718b6520cb8c80e351faca6c7d7b5c88bd0313717cf4f70ee5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
561f8341de3fe2265ee31ffd9b709f4a

SHA1
ddb20755f86e4fad1f26efa65ac468bb126578fe

SHA256
95652ca67c78ea5071103b178a3e60441241ee3b0c20f5fffe30fc4396513e15

SHA512
6eee7d615b2122561bd379b08e5833f53b3900958ba092ca2217fce0eaf8d02d6afea611247af3db539cd92400f03f653fdd18d46e48aef81efcb39a8a9e7308

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5696656ed6623f668205c20c742f761b

SHA1
bd59a5938868ebf254c4a2fa3fdb78337a2df6e1

SHA256
d415eac7fb1104507090487bc60dc980bf64f56d1bac6a0f535d420e62562d73

SHA512
76a08788544da01b1795440fc9d35df97201da29e9652e2a424ba3465c80e7ab1fca07d04813add17136363f39d65582ae178cbb242ad2560104464a63d34013

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
518a569bc98b3c8a31bb2a12916d1956

SHA1
f0d5bdc7f8bab590c29b19596df6bac60b3bae2a

SHA256
49004a8a1120a816d7e3849fd81dfc9e7b2e2802b34a527654d1a018a663dc92

SHA512
9dddcd3a38bd56c5c3e2dbeb51f220c4442f7123cbf91c56dc240d91b79873b9ac26f7966a5e826827e11070e48a0bb80441a94f957fc5bbd7a894b347564aae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
91b4a03ba2e2e4a1f021c288541e6923

SHA1
6181910fd285f3ce7e001a2d26267687b440ceb9

SHA256
79ccc529e1a206b5ba49ff3418041f62bbe2f94055c90209705f355a66641471

SHA512
f689f92c28607d17459e170fb33af06249bddd33b53b6696028ea4a15bbf3a59a6b83e74029f026f5148a31cffb62c3bc3bcd4d6e634d2b247eb411b1bf29692

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6883ed44fef81f94dab05ccc008a5ebe

SHA1
702bbd6cc7bf20da526480b3b768f61ddd53cd1a

SHA256
b1fc43c8c5a1f75ffda5adbfda4cb485c1300ba5f745943740cc697edb6110ee

SHA512
f6009b7b5b1670babac440dd8cdee41dbb5eba7689a43e1fffa29162c3400c01aeb444c0332736c9dd0cc9dddebea25f3284cf9f111dc1981c55eae5ca32ea54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
885f6dd8846c388daf28098231f0682e

SHA1
829f4c9d77000cebb4d862d5eae7c046bd447a74

SHA256
f2d12dfb083364a83fef79042a45968583c029a5e0f4282f1cf34c51b5abbc3e

SHA512
eb0e7b7cf0236837c814b5e66f4e58023634197245cb6a5a1b0c941f9e97c96fdb7c08716635a0d22081bdc249d6ce001e14387bf665284a30bfa0285c766ea6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe8b4ba4f6f86e5a6a66286cc4d45c31

SHA1
36d6a3131774f9fa4ceb91baca3853c0fdf87fc5

SHA256
dd9aa96111e173fe690a4efc4b80533dff745cf576953cbbc2820042686b05cc

SHA512
dd7990c38f9760d9cdfe2f3f0cb012d5da3fd9fc20c058cc3a18003fd876b33028a6896beabb9454a7e9adc183b46640d893b478d0693c918c25fb8da059fc7e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a11600e6ca77cb9ad65e862ab5c08383

SHA1
829beaab64d9685c1c6344d137e63a3da2d73fc2

SHA256
898c535e4e064d29b1219d572100d36a09b2293d00443ba2ca8d75606019b334

SHA512
dd70f8b0421f1e31dadf208453e92d3113ed120e00d7f633f60d0e5dfd4a2392306278993b3c6919911c0f4245f50125cf207d44a1d2edcf49b2f79f4c547be6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f9757976cf84e6726c61a726b69c281a

SHA1
9583cfb23569fe6605f9b694367fdb6edc98ab3c

SHA256
0b1a17f52081de19a75f0f3511f57b3d6bfcbd68e634769ea64d8bda06d532a4

SHA512
350f11371701164f265e8c015749c1645df8b4d128e669341140a8bc6734429c2f833c0e5a24e62ee169dc1bdc10460bc6ff2687d1a98b975fcc4241d95a0202

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f772db2a5a2249c51e36b0d02346f5cd

SHA1
7a64f466041aaaa0e99d8e5d33f27653ce393b55

SHA256
d9c71c856d729dbd73210683f08823fe120ed27d101097a9c77e8b5dc4e161d2

SHA512
7adaf17a3a6b0aea16633c08ee0da78e8a26ae889b8565dd3ec082e27bf56035c99e22842284eecf5d74802ef81ae2a684b08284e7e2bfa87eb32efdc5f779c7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2af4718e335f40b117767b2c7fca03ec

SHA1
7a412a8ae9d3779e7a5c128d767fd21239652f4a

SHA256
671008175b0c7781629eba3edadd243a8978b14c859d44d4f0b4b913c9ea8161

SHA512
55f6a58620397cc8ea81bfe8e1f82c410ac5e59d4e41164a85f33ec2e75549612f47facbf7adaba6a3f101212bef2eb6f584754de53e558377e2ae4bbd361647

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f7324a88f1a0edb713db75ccfc907055

SHA1
414e54057b2ca9fd88724edefa7552acacda5840

SHA256
20d2fe9a425e151a2eaf227b82407f99e9b000a1bc3c5fb6ec1c94f108e8848c

SHA512
7c14d7a8c26a0e6db2a9d3bfa90bfc8391c9ced2e2a363200b4f355db7d304568d464b0b9d8c80d4f9e5ae04f9a91f4d9d6c26b381c0b911b1c2d475b7228aad

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
78c3214f3adcdedb82e5c806090953b0

SHA1
956f5fbaad35529a3469bfd6ba5c302a3981927a

SHA256
21e083e6ec48e6746e6d701bc3e99315feeec5737ace6d079beb696f7fb5a6e4

SHA512
1e16d0d3fcf4e76ea83ce005e14ada2bd2d888c7d01c3bb2576ca58d7036d7f18542e6057401ad8a498483d6b1310cf852e719dc92c44d22862834024233e370

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
972cb5cf558f3fe6d0077f5b77b37e9a

SHA1
ef2ffef60beeaa7f64749e9aa2cfbf4a9c2969f3

SHA256
0c125733257519e64126a5d0b94a04bfda388079fe8c4b4b3648eaa8ca22c875

SHA512
24d390aafaa83e2a75dec67d5c280e16ea1ce6ae2f5ca3a8676b81042eaf1811546dd03c66415475b4999fde4ec8a5bcdfa53bfa41f1a5b2af926d94ae4de558

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
54a3ae8bba16ca35eca99422a969a7d5

SHA1
001e1bd5d253d598eeeb1bc9c22f6530d2f13534

SHA256
85360ac74500b3616400ffe517cec9fd2921c65ddca88a1302392aae477b3022

SHA512
4196e107ba560bccceff1e3b772f8a473787dc7c439e330703102a16aa5b3d8d2dec17fb9ad558bf6ca91067da274b5aa601b416aea8047c379342f0e1b49e91

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
88fb412def0565cb07ca74bd967bf95b

SHA1
20866d61784686f0f8bc94c4515b4badd3eaa8d0

SHA256
6d8b8d8e1a492251ae3faf88f9a0ae6b8f340f07ae9618fe42300761e5db5b9c

SHA512
a964c9a0ed41a9f55262ae54fa94a8b49ab928c941720dd287b9d8c8bd01f97808c7dc07509623ba8a1c7933e39b8beb6cf926b09a8dc9b81402cab03ed6ad21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2161aa4cb184d8544a3ca55b93eb2d5

SHA1
0f8b0b1c66227445ad7bd58461aba542525c774c

SHA256
95ad2aaab4a57dd3fe02389428e1c83123be714a630808a302d3ed6ea9527b24

SHA512
b944a029ad1f731c631d7ba45f913d4e0f0f3efdf23993ca1a2b3bd7b67099ecedcb05e903bfa463ff47b1dc1cb70c6355c384211c708d7e6ecca42f4913dd7e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5ffcc393c3b2ad95b44bc877b76b40cb

SHA1
d24d8dfacd9638576ac29952e301385f719bd5ad

SHA256
ee6c189d177a9138c8804c51a8d32783c08579004cd223ef4cbca01a7604acf4

SHA512
1a23cf2dc1f631fa55e3eda702fe3422efbd9e26c57951d0f28e719bfbcf6a2c65d1d57dbd8514b09bc9977001429b81e0c2a7817960e81767510414c164a7a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8bb226ff3b59f85a1cb4aa17752abc48

SHA1
abff6a6a18562fa1b4395c4eda0f9e3a328f055b

SHA256
082b2f0cbe278a8ed5060ea393f18bf831e64c763ad7658f770013f3f4f004c8

SHA512
64a5854fc9b9466648defa0cff947242d27fbd3be7c944858bd86234933305f5a898c1cacc7d01b53d0460cb94f07942cb2a3b0a95dd3bb37c3c3a33dfe60471

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
000d78bee99d0e2eafb09162a7b5c4d3

SHA1
7ab7de7ecdab4212e641e08ae8a6c2a204cf7739

SHA256
03afd5a38cbb2a1a1092e9df0a66cf0c1c17f89d72bd5615d6f039eb4fca9bae

SHA512
3524d557ce33a96f7236eb9ca5aef1ac02448a1363c477bd7ef413ae518894abdcf3c3f891942243b460fbc63710a9b3c8e7ff836f530bd6cbf48dd2ebf39279

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
08f3964d8eba8d792a837b16b0e003d0

SHA1
6545d09d7018ac0387d68828c10b2b95e5cf942c

SHA256
0509d3d2ae1cae3727b88b2443d7b0a6c8e3b7fe311593ec9474f53500e46e64

SHA512
27fb220fa10d271e3bde02894ea88f278417f465007091bdff04e07541d85d509a2ebe25838ae259a3247cc81bb3f110b7e19e33a97868c11ccaf467a9a99732

Download Submit
memory/868-44-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/868-46-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/868-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/868-142-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2028-105-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2028-116-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2028-107-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2028-331-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2064-27-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2064-0-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2064-7-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2064-8-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2064-2-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2064-22-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2232-388-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2232-273-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2232-314-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2248-379-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2248-209-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2248-374-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2248-201-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3372-71-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3372-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3372-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3372-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3372-67-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3688-440-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3688-428-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3688-434-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3688-441-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3920-121-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3920-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3920-41-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3920-40-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3920-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4388-103-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4388-106-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4388-86-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4388-89-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4388-96-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4920-478-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/4920-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5032-102-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/5032-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/5032-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5032-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5196-126-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5196-120-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5196-130-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5196-136-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5196-138-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5356-359-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5356-143-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5356-172-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5392-444-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5392-453-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5400-352-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5400-426-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5400-361-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5592-376-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5592-443-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5592-368-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5732-466-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5732-457-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5744-380-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5744-390-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5744-456-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5808-399-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5808-470-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5808-409-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5952-412-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5952-421-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5952-342-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5952-335-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/6036-413-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6036-423-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/6128-407-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/6128-332-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download