84638040847e18505bdd53230913b628951e8274841df482d89df10792365401

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
Size

5.5MB
MD5

7e58d1f3a3edb5812b607231606543fb
SHA1

15e394384e059ae9ae895f5cc0db5ab1b70cfa7b
SHA256

84638040847e18505bdd53230913b628951e8274841df482d89df10792365401
SHA512

610ef1436d3631c168dcbd06e9e2282be7cd0b0edd2ff604cdef8e7e3649d29f14831b6fabb9073ca877862ffbf31e81669e6f17e1241c23766da938d04203d2
SSDEEP

98304:hAI5pAdVJn9tbnR1VgBVmyRVlbnP9WXW7H6C:hAsCh7XYDHBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5008	alg.exe
4080	DiagnosticsHub.StandardCollector.Service.exe
1900	fxssvc.exe
3796	elevation_service.exe
2016	elevation_service.exe
1768	maintenanceservice.exe
2912	msdtc.exe
4628	OSE.EXE
4896	PerceptionSimulationService.exe
5280	perfhost.exe
6012	locator.exe
6108	SensorDataService.exe
5308	snmptrap.exe
5508	spectrum.exe
5620	ssh-agent.exe
5760	TieringEngineService.exe
1540	AgentService.exe
6020	vds.exe
1396	vssvc.exe
5992	wbengine.exe
5556	WmiApSrv.exe
2624	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b857f058b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f4c08116c8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037d2f5126c8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001763560f6c8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001577d1106c8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f9a16116c8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc04f70e6c8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2d7f2106c8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572434732485993"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061a25c106c8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c5c0106c8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a5da5146c8bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
2964	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
6532	chrome.exe
6532	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2828	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
Token: SeAuditPrivilege	1900	fxssvc.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeRestorePrivilege	5760	TieringEngineService.exe
Token: SeManageVolumePrivilege	5760	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1540	AgentService.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeBackupPrivilege	1396	vssvc.exe
Token: SeRestorePrivilege	1396	vssvc.exe
Token: SeAuditPrivilege	1396	vssvc.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeBackupPrivilege	5992	wbengine.exe
Token: SeRestorePrivilege	5992	wbengine.exe
Token: SeSecurityPrivilege	5992	wbengine.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2964	2828	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe	90
PID 2828 wrote to memory of 2964	2828	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe	90
PID 2828 wrote to memory of 3968	2828	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe	92
PID 2828 wrote to memory of 3968	2828	2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe	92
PID 3968 wrote to memory of 3856	3968	chrome.exe	93
PID 3968 wrote to memory of 3856	3968	chrome.exe	93
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4664	3968	chrome.exe	99
PID 3968 wrote to memory of 4968	3968	chrome.exe	100
PID 3968 wrote to memory of 4968	3968	chrome.exe	100
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101
PID 3968 wrote to memory of 3748	3968	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-10_7e58d1f3a3edb5812b607231606543fb_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3e739758,0x7ffc3e739768,0x7ffc3e739778
    3⤵
    PID:3856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:2
    3⤵
    PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:4968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:1
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3932 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:1868
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1084
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x238,0x248,0x7ff7543c7688,0x7ff7543c7698,0x7ff7543c76a8
      4⤵
      PID:2988
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5168
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7543c7688,0x7ff7543c7698,0x7ff7543c76a8
        5⤵
        
        PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:5372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5636 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5104 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1844 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:1
    3⤵
    PID:7052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3780 --field-trial-handle=1888,i,2277248390940553069,18322180550329682526,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:6012

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5696

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5760

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2624
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
7df8698c87e4e165567ce4bbcb51f88c

SHA1
693c90f2a96c20bd993ad5139d6013f6eb330a7e

SHA256
1d05402ddb37b18b9cd0dd10a112fb5626d011cf7f361ec32972e7e9e77e07f3

SHA512
64ec84a4f259c8f6ace423e244e99fe6a6307a33bddf52acd8a5383dacba26c0e085343cf1b7a899808e7c8dd007db16e6b0103f360e506497c55cc94d2114a1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ae92713a8a6c9df776eada02df73d11a

SHA1
2db55cd9a0ea66b81dd2da9a57e18f5a82b44b50

SHA256
8f0d2b8fc81e2b09bf7bfd51efc8bae95622304c40d53f7a89ca383fb4a5e8e0

SHA512
f7a67051080ed8e0be628e2a4ccb08c68d76501a862d4c672c26af87ccf8c9bafdc57c8ffe3136e33f26424898a15b07c7ce5937e1455520c32451966a2b6b4d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
4d7d3be22bbb6fb09858a26c3b177556

SHA1
3875a0dc8d6df4ce9a5bcb86333c1082843c3c76

SHA256
fed7d882bd963d9d780d4a015bdadbd99bfaaac9520473e9fccc2da799a5d3fe

SHA512
f40cd2044f9d8be26fcf99f305e5d22f88aff079cca5fd6d76b99db963c276d71dfd8dde3b5089488ca4a511bc4de256b8806cf94b1893cdb9999d60673abb1c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7436047f0274f22ac71ab23b2ae9e90e

SHA1
272542e4cdecee1af8721f66241ca5b56a3da8a6

SHA256
b842e3ffd2bb482dd6f5f6ac1034210e8414dccaa6ab8811a39b3c4a726e9158

SHA512
077ac89780388170bbce31d01913fb43c743ff2a35e8cd3beb1131036d8b89e45ad51a5d37291dfb899b3ecf341bfb2f86cfe4515cc497c14ef2906574d77edf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a5a973227e89b29ea1cdf914b55a97e4

SHA1
b97f2acf09e529a6027f0fb76595dc3fb35efef9

SHA256
cd4394c352b8c0c963ab8a70cab442d69d8404c12584b3c8ddd7c80527b0cbf2

SHA512
d59185f7d0474351da4c3d6fc795edd83dce525bb4da5373f5f21ad847a105b006137dec03816bb94b151bb2c58ac5dff3d0203cee134cf89ecab34609874b9a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
1b116d0c4a788e7cd2aa89e6d5b7aeb9

SHA1
8fd81a91b553219356783e6aa09c952c114161b7

SHA256
1a8ef1f97974ed47abccc05cfb6f8393ea1651c01f231d954ff7f3530a4e7080

SHA512
58c2d44e9f2cc997f917b82d34e732f9a45b04d89e713dab13c342172f3c3092c7f608c0cc7ddbef0e7b4f9e8eb8705f6f1fc43ab9bb7de76d27bc777639b7a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3cd91800b581f971edf2b679e3144688

SHA1
3d1ff2bebf07b6141c4c78884ba4b22d63101334

SHA256
50cc6e202350dd68ace2b05af34a32b960fb963b61d21748fdcc01d8a7f3bac4

SHA512
bdbd1835c6711f027c226a4640daf2e73e24603afb7a8a8ca7b67ca0329c58e1fab7287ee68b8adec6854f78b76a3be09ec31d844a30c427f52f2d3ba129d919

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
133c4803d1a45db1b0fde1d8c5ec9c6c

SHA1
9a5a26103ea26021304aee2d481c1dd6d9bbcb95

SHA256
3723dcce7cae627301d4a7901f6c3e3e7257dda10ca0bf209bbeca74caf32585

SHA512
986583a531f32c7a1a2b32485879d50c531d6c24ab4bec72385cbc4769ad7615393f79b46ded39a4054e91ab1cd83dff148924c39f35c24bb73642ed63f26683

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
1523bd730c6dfc785eb506e03cbcff94

SHA1
4b3a18c14f2c446df8765ae93f139f37fcda35b5

SHA256
e9cecb1de2ca9be7badb14ec19e90499634e97f72603acb80e5ad09ee6d6559d

SHA512
f673b0a67c413d6ddd8501a55c589a114dc59257360352d3d48afaa8d52a1ff86059717867e4e1275cc6811de3b62b7629501690d9aad7e05aaf8fd762445975

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d35e6a64defc7b658942ca478e963053

SHA1
45b3743ba15b70568387849ad1dd280e12a55e2c

SHA256
8e5401f1e9419bbb50def95154cd8ea59066da6b3a755946301915e0a2339a7e

SHA512
f45cafad6a1cba9674d3160b91e6e22f0ba33a97edca4730682b2a179b9c5759985b7fc84f3a19d878ef95b1849e7821de6db439ec2deb2388742b79e4e56496

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
89480f48f8d884606e706dc283001b8b

SHA1
80e73f5ec7cd674cadd82d3e1ef05cd61e53cf7e

SHA256
75ee726e34dfa32af2605a35f4a04ff5d8b54460152410659ffa6884c760fb8d

SHA512
a5f184d3506e1efce0ef26a419eb346d3c42eae608ce20ef4bef3feadfb59eb88d760333228631ff2a2b8d215689d89ba859cbf0bd259a729f59513a120bdb49

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
826ffd9b9d8bd26098450d147d1cb67e

SHA1
62837cc986357ab5bb2f9671325104de7d95b6bf

SHA256
8569916764eb8c8761f011980c97e1bf37df91f7581ad064cff18ad4ca7055d2

SHA512
3e1f01f8184be919d6dd6eb5ee70194255b4c9625925e8be5bde4ef464dae2610ca293795e515425503f6fee1c772bcc99e08f311994032e85a29e7940abb4b6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e2adc50d-9297-4818-af06-b4faf6406aaf.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e674a67f196cced4f6b478344e7c81d5

SHA1
5bdb06e2625f0301ccab1a4dee704a7f524ddc00

SHA256
b8300073dd8dcf29061b136d6f91c1f11e6dd6a4a9de4ffe4616964bee945193

SHA512
b397c0603c10ae5d5dfb1e9686b229d7030eface4f18a79649eb28df2112dcd9ebe4cbb09bfff4f5da96393bbdcbec96fc07c1a9665609a8d443478f460ded31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d6587dd71855b916fd1470a9519123b3

SHA1
417b5e6db6ce7892695e099b4624e26dbf79fb1a

SHA256
eab948491510fe50e7618363f264ac14cfb4b0b0838c5eee9f0ac7705e150ec4

SHA512
07be559c3330b6a2713124a0cf4363cb2f9541f860b588fb28d210bf8b50ef358c58298c74ccd47ca92377d12fe567d9fa860a22a0e2863da51612e7e2c42675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
1ec151d2c1230ae46f6418cf5fc3f6bf

SHA1
d661cfc59300535ddac0f07b324276bf1aaa06f1

SHA256
f4e2af19ad0d3b122c28649e52c8f3427470402849d57db2a9fabafb9fe37d94

SHA512
2e40ed2b14a9cbb3a3fbcfcfce81c896a256329f50006931152806076bca82c75d2eb979963aa69115eb0183128891996af15b5cf08f44763446f703eb3c9765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0eaca761398c21cc4aea9baf02758f5c

SHA1
960d25e38a4937bd7196e3d29b1df3a9de9e331f

SHA256
1befa86b718b8ad4da0ec9606770c7d6114fab652617b2669ac1d25a214e4410

SHA512
7dab4e4d05baf9aa294cf1846ee841c8e3f66c9d2d2fca09560505035b5323a86df5fd01732bbc89b91e9071e088a86837f43a39f8a2c70ebe4ddccaaf503de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3d7817be970187de6c3fe38625fad0a3

SHA1
0a55c72dfc6ca031e3e28bcc76b26ced2a664072

SHA256
ed96fc4b9deaf85f98f9f33d3fa12dd4618c1216f87c4e7fd027560a653afcfa

SHA512
8cca2826709a92616409f58b80856d60669aa8450d759acf1498166a8db94b0c5141183dfea2c307087d4b07234e4e0e9410ce9a0826d16e3c18b4e429a54e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0d2212f91815bec9adb75fa727f6f0c6

SHA1
2ef3a12b5998684d7a193d6e0fcefaf91dd77570

SHA256
efdfdb4fbda8b00ec4e49951120f00ff8755754a3c0f7385d0ed7178c9933b0c

SHA512
64962ac58f0fddca27f7d1a20f7ca3c2413b190076a0b5b3ab7448a8a8d2b42a441f9fd8ee58d64053538e74a585f1d34096c52a6e9f37ba794c71b420074ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c42077266287385f86fc5337f3ff2ad8

SHA1
8e1f7acf79ec8c59945ab8745145068d3ee7d339

SHA256
047982dafc00c31c1c44366452326a14db53adab8b6b564eb8022e232f367c7a

SHA512
8bcafc1e636d4b4ee69a92fce91ff8c27013c885fad06c2b4d147b3f8eb64665cc5e27a8cf79ffb43b0bbf785dd536c8c47462b19b5c2ea9b76a171e47659fb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1e24a215991274626fcc6588024c6996

SHA1
540d7c21bf2bf496d1f5402385c3e5a656ca2a0e

SHA256
22e55424df87778797ec2e9e34ce9a7a47f23f30e6a6a9c8c0c5c6046d5264f9

SHA512
b81498df94ed115a220909250229515cfc0b2b5be0c37ac9d488729d27c4c65e512d79756f521845593b01540d68c55e63a0a94f63e89fa675d09f192317c899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582ff4.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
b558a8040a17e1c6717c379855cdeb40

SHA1
9024f8dd309461691f84d43c2e583660148d857e

SHA256
824c7b714ad7eadc9b1eb2162df2647e1b266539c198f013ef431acdb0f98888

SHA512
3cdadcf4f23c9c5a3f778aa783788571313cf2c5d705453f766668cfd193f513b57a5fa1e449516720e6ed0dfd98b04af6063fa99371149f0e89d9f68dd5db6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
e06ecd16cd08f2d305e613d71cc17c08

SHA1
54c8bbf8d18311d5ba42c0d3839585f090d0c4f9

SHA256
ea50165119f803c6d7caca11d248742a131580bf47e2aebd4e167dd83e93f198

SHA512
474fc1ac251eb22e9fe1b85f8caf9fc5209b01cde0e7f84d9bd8985c0ba3f2b96959ed26aa873a21dbf1f6b5d45a14fc49970adc0d317f039513f14bd93fc686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
4434a7d015e3255a8b6ca9643db017b7

SHA1
dccae90eefc9ff703c806d49b5aed33faab52330

SHA256
3e311835cc86c60c92ac3183406a7ebeab531939978aa85d4e89cf9b5d8757aa

SHA512
b3d67c48de78511b9ee70052478cf730300609753e44e593e39550c492a1702de263caa19c0a1a84040379cc7dadb9a3ef65fa55c07d751df63f299eb5e4e5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
de8fb942890ca0a2a2c44e3236f96205

SHA1
6f4bc48d8da1a601bffdf6917b5e5fa47ce8cb8b

SHA256
edc8365a405f57d0ea41f70b9ad77cbb85cd128990c576ab282622051a18934b

SHA512
2a7e264765fc6676b679c446b0606c7fddcff00233f8dde3878d49abce4ab4ee60238ba0af94220d18b5a21882aa2a9b89b251e4f9abc776d0123129a5d7b482

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
839c096a90be5264cca8aa56b17c8776

SHA1
253f9379c7541b7cdae251e6d4b3c4cab44206e5

SHA256
eaf2676a5adb45be6f6002c21f195add15c7bc288116f4e1729779a1c7de3010

SHA512
183b4474d7065330281c230b51fff56240ad4e60d1ce3273fbcafb0682d2195baacdf53bce46699f62213352262650ca648815ec3b3d4f5749574b795903a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3968_926268127\47b087a9-a4d5-4877-8184-2895150c6569.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3968_926268127\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\b857f058b3e2edcd.bin

Filesize
12KB

MD5
a4d7ce3cde23e0d84aeff2530b7d8d42

SHA1
3528d91167a328a811b9da9cfeb34c33e48d7133

SHA256
b43d0dbc25077eac70e46635d914662750b36d75ee4d17175426ec7c519df731

SHA512
03e31ab3a6da3a82db16668cb17cf197293622ad4f6fd1a0a57dfae418e8b04fbdee000c55c257072a07d95a8775d4ae7c37d9e92b79fda0a50db1b5af3d9167

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
4275c8a9d2b66ab9e786ab7c446ba53b

SHA1
2d43e7a6af848528485bf4473c683724554f8d15

SHA256
54bfc381663b0294d8ac87e325c049266e0fed4f06c44e25d1db7ea53ca313fa

SHA512
3dd6a812f4f3f89e8196232c26ef54bf72e9c85bb001239a66fd1e5b0f072994f1a94125729388ca16478aed7669b6802b69f64af7e7a8b65af25ec1d9640197

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e04eddd6620df6c37d2f51500c28e8ad

SHA1
1715ddca5bf9b0ec9d1ee7c3e01165ff9f629859

SHA256
6976ec373ae53038d47ceb8414f36c4b95079da5ff926af80523b3e265656edb

SHA512
8a4881eb2750e6c4cdb7d1e1ccb7a30447be7e5e5bec48351e66a655a10a08fad7de412a837c0d0fa51f7ef174b948f29133606a2184b6e491c06c6e31ebc4f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6991437b0d992fbeddae5b0a538a64ca

SHA1
136dfc8729d08b7940281df01ed2e05af1fa13d5

SHA256
fc699785a2201151d3cc37335ce9162d3f34f2d654ed08c51df0119fa882bc0e

SHA512
e55dcd80bd0750d6270e037ff471dde76cee2a98e6a79535428d99c8eb4a90131d0e3f0a3f7b8e3a60a755867f79fb9f4fff66a10af36d9456ddc41e7d6709a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d6431fdf0aba810a47df4c449a8ff8f1

SHA1
c21dc3415aac4cff9c59d32a5ae1b355f2d1aea0

SHA256
5486798903b3cd87b9861c493d719b732ca2c66137b7a1b2fa6ab43a935ee667

SHA512
e66892e8afd8a852aa3bbe0014b47974502cac02ebecd235a2d4cc9839c2d868d5a80666c9373a8b1b46034d792992359567079aa5a9bc8ca5f3f2c2761bb732

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a293317678457766169ae220e0b88d1f

SHA1
f5fbb3d95fd76ed881c37c57b56efbe8c67abab7

SHA256
ca1121eae6892f83e4702aa3927866cc6fe18d8f1ca876caeb785de7415dd61c

SHA512
5609824e5dee23d07a9fb2bc6e85578fc5c078135d83632e79c97f95e86ab8a850275be59f086dc3d5b75c9440fac440564faeeba813d42bce9b3136916a87e4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cb4e243f9dacc68e2f55cc2feec09893

SHA1
7f87657c77871c15029a8d36accff9b95a3381a6

SHA256
684c29e8f5cdc7791fa8ffce500b9690ce8a53591d106a9ec4f326f1c6e59960

SHA512
5e15c5c9a980743ea9ae68ccd27477fa96fe2dc31c413aba4d6148f792507e7946c904dc2f52f1260acbef68221f7b700f0682eac620a9403c2b37a1de1d4536

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9631f251e23513efcdfde3b2a119b8be

SHA1
2095e1315cff01e54f914cff45ecf2d54b8d55c0

SHA256
8b3b2dc1573976189a28678eb6c44307c46a6e7b3ec3ab0da6828a72def7275b

SHA512
a11ec5c82615e5ddc12fcd0c83128a58bb504cf68921b7851f96c1652b36d441f69712780d76e513868edfb1c91209b117749a8c71f3b0ae8ccc729934f18a59

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c3c4b263b0338b816eaedbabf96a3aa1

SHA1
2e7cf36d2b2c7ddbc70b2c7791a6dcb3d17cf70f

SHA256
1454dbeeff4e17766686d27b06e75c949c1359cc349a0aa200db0bf58f41f4b3

SHA512
9255244eae32e3f780014ab5deb6fff5ad2bbbcffcd54c34660a870e431626186ba580962016b5cf8f90489c4a61454ab5150041d9d0e3d0fb541165a7ced670

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8a6649efb7b6f6831b31db583ae8d616

SHA1
3fc3b6702b93b17203c136741c3caa6af1f2b928

SHA256
472a04a098b3d27e547486df8c6299f5a2db10f16506d7573091b70cd4a93000

SHA512
f5795a4e12ead42e00d7f80e60a39ce961e0e26c5d175bdf9ca7957ec95a32762d5041dcf04bd01b17aab4a1429994bfd0df21e0eba1d74155f4eb0fd18f99a4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d6b5a8644b78477ed3411b646f8899a3

SHA1
4954c198b0cb6b53b6e2b9f5a2c8f6f389bcf833

SHA256
067ee417ead97bb6f6bd2be3cc5e526ad2d7f743ca68d77d2da8412424b657e3

SHA512
e5295106fb999249d2588c2122f6bdc46671ae2623c5ee233e7bae69eeb6e6a1cff481d96770ad878188f77d3cf534ecb11fc74a1c8ecce59170f8cd22346a23

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
eb15182e551e479e289922c145573f64

SHA1
1a151bf11dcb37ebfd096c29818881cb4c64fd55

SHA256
1c2b9aefb37686f2bd4cf41014ee22cbffdea58831e8bbb7305194e5fb0914f2

SHA512
dedd5d6b5fb9b83eb6591c50501cc5c72265d33c450c07cfb5cfa2337448cabe6964238c323ad25c13ef194172d3158a1202ea3fce99799073a53d9b7695e751

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bc8aa47545c159aff765cdde9e9cc25a

SHA1
c231f91822b49e606e158829ec1188d8d6c71270

SHA256
e566198eec6e58931dcc7243e3af52e79f05312180ec5b2861f3f1f135149d87

SHA512
f348da85820cc33a4db5c638b62581603856ea73b45df1f15798b67bc659df95e7cfdce62d5351cc2536707416bb85d0ec2019ceb3d011f9c62bb902d1f1265e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
909feb72eef09246f868003ebb277cee

SHA1
5cfa8108e04fd2f023d4e9ee1ed6087248e922d8

SHA256
f46ada35250afeca0984d63da05faa2924137aa5acc8ba2ba4f867a364f3c605

SHA512
9781151fdc40457e09d8eb6b053d0565e0df80a3f3df2e7e9fb5bfc37fc39e46107ede862199ecf9fd2124e62a144b2678eed43d6b39b4ff60a5b7005245f8ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
65787799602d0652987b812ebf0902be

SHA1
22d94e07eb10b8cb31ae20f8b7079360fbdda719

SHA256
8ec17f0fcd901e6f12beaa4aae6dce276bea0eeb5b7cd4f215db0e49a264ad92

SHA512
1370244ec0ead5f5a95fc395f7582e2c441e0e5ac5fd72eed4e4812e97443dbad464df6e652c51579f2196a0de44904475fccf6dc80ae8bf0b557b833c9f641f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
06e53adb570f0e1fbc65fa42924d81f7

SHA1
08b0e124a306b96e8d437d669a66990796b6803f

SHA256
43e649ba71be9f5b64d39f575d82d99d8675410e090ce98ef48756fa61a02460

SHA512
1e6c4231cb1a7b915157ef802be096fc136c34f4798b75b4df1f48c6b8dab857318d0d8cbb3449b90328a4f33c3b13479353b316342b329ade63ae5f617d9899

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
13637eb9aeb4e51719fd72ec028d02e1

SHA1
59b6472fe61bd193cba575bc2c9d9a6b23d5ba1a

SHA256
3af6d82c36ceb75445f41da49e9cc63f93dffc6045420e3a047b21d98d4ec2b1

SHA512
10e2ca8c24235c0fe5cf691ca75d50dea7c0fb2adda4d1e430314a400ca804c0eacd406c9d3eb78af4a979cca905228d3ca477dd91089efbb837cb61517f8a5f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8f1f77340568ec1329011705a304f889

SHA1
b902475e2cb20ab226de92c5f5d1899d6d36b150

SHA256
ab41ae812abae3b3bf8be7fc9962e3ee07d6de69ec8fb120e3dbba88092481e0

SHA512
b6d270544ebd949b44be8a8afc1c5722c271700a64c8267e697d7e3e3c300ae8a68cff1899181b8773af88a8c6f5e7c5e32c2feba729898a08225949e171fb12

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1ce832d8c227ce2c3a67d3011f6c9aac

SHA1
1a3bbf477ebbbbcf64ce3eae352fd6917f65f974

SHA256
a0a076ca1077c879c5982936c5222a39f62d8b8ff8100507b6a6af7b5d5a5b01

SHA512
74c0b162f4883a001a0f4c5c88cbf84618879b414ae03691ea0e43d6e4c619d968722b60aaea0e70b24634599a95c4f7937a2279489e6e4516c24575362d3778

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9c50898efa01e7ed9b95d80224380e51

SHA1
8d969ecdde3a422ad4a857e54046dedeb83afe4f

SHA256
34f52a065a80dbdcb3e26c16cb26a892ca05b05d1e23738bf9c9d4266b2710b2

SHA512
e6f2ceb6904c20d457c9317a0d66bc0d68ecf9add7f76e5783f70fca236aede1fcffe33ab7e4f33e6f64a4d651b4db9332b04bc123303d2ccaebc5cf1f87312f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4515f47d885d159eb0e5c36c7321a3e3

SHA1
9d8cbf24d8dc2621577197d1f93418031d617811

SHA256
ad5bd6fa5e32189add1df0e5298746e0161cb3b8727ea245bf2b7a2d3145219a

SHA512
b38ffeafe56ba725c3c9c2169d687c90afe506f6630597761dbaa26a76a77fd5778e8d4ba2ab9cc485c33991842049395caff861e18af9199922886678cff084

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ed31b740b964f2a3ccfdb469f33270bb

SHA1
50e80f6200a5ecb8ecc5c0023d7e45d3a2b99029

SHA256
78e0c109b8f7703c9a58d06f6837c0b6e107b6b7bf026e60e8827d1849930c81

SHA512
2a76a6865277ccb4b69975e03174505c5ff1be5c98d889e227557e39f31fab21dd7e677e34ddc676e56e33c6c0d539b76d017aec79e7a5c4ce99a42493f73402

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
6e7b75f3285225752164a2fd0219dd92

SHA1
a6db58c2a0680958716700a37b77bc69982d3342

SHA256
a48c1d790178d5e6738c4003bc89c94f412335343338241b92d893d9653ae5c5

SHA512
849aede8db22d0abb29abe92bf4810f25c8639be867681b003583a3c533d2318994e41bd5e6a24bd5271b58cf9b5ca1377e4ee995abd9256114297ad921384b2

Download Submit
memory/1396-605-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1396-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1540-459-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-444-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-460-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1540-453-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1768-127-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1768-116-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1768-121-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1768-133-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1768-134-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1900-65-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/1900-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-58-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/1900-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-69-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2016-111-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2016-104-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2016-251-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2016-100-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2828-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2828-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2828-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2828-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2828-8-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2828-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2912-353-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2912-150-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2912-139-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2964-20-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/2964-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2964-12-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/2964-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3796-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-73-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-106-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3796-81-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3796-74-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4080-46-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4080-138-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4080-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4080-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4628-184-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4628-367-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4628-175-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4896-387-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4896-194-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4896-202-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5008-24-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/5008-37-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5008-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5008-117-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/5280-338-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/5280-400-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/5280-273-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/5280-413-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/5308-462-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/5308-388-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5308-379-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/5508-401-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/5508-391-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5508-594-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5556-625-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5620-415-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5620-405-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/5620-608-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/5760-428-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5760-436-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5760-623-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5992-618-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/5992-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6012-418-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/6012-355-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/6012-346-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/6020-590-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/6020-463-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6108-369-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/6108-443-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6108-359-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download