6fcb04fe3455176b269ec96ad1d013ca0adeb835a110035175f9a742e7dfb62d

Analysis

max time kernel
125s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
Size

5.5MB
MD5

6e21a17cdbabb50619f05005f00a3c83
SHA1

9a2210646b8a4797d9bef52604ebf911d59986ea
SHA256

6fcb04fe3455176b269ec96ad1d013ca0adeb835a110035175f9a742e7dfb62d
SHA512

f143f4268ec6e99c24bdfb2ecb1d447c4357a2737bcf77a8cc1ccf5f890585fef64e062f3ea9da412fc4cc73f2998767c07096544e13d7e94db4e1f49bf68f7e
SSDEEP

49152:CEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf3:IAI5pAdVJn9tbnR1VgBVmsEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2064	alg.exe
3004	DiagnosticsHub.StandardCollector.Service.exe
3132	fxssvc.exe
4420	elevation_service.exe
1348	elevation_service.exe
2244	maintenanceservice.exe
3852	msdtc.exe
5028	OSE.EXE
2244	PerceptionSimulationService.exe
5268	perfhost.exe
5400	locator.exe
5432	SensorDataService.exe
5692	snmptrap.exe
5808	spectrum.exe
5992	ssh-agent.exe
5140	TieringEngineService.exe
5256	AgentService.exe
5504	vds.exe
5804	vssvc.exe
4592	wbengine.exe
6092	WmiApSrv.exe
5296	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\edcaff7bb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da6a87bb7a90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c6f0ebd7a90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000757373bc7a90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089e161bd7a90da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009971abba7a90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064d2b3bc7a90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577995409015264"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc07bba7a90da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1096	chrome.exe
1096	chrome.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
3924	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1312	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeAuditPrivilege	3132	fxssvc.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeRestorePrivilege	5140	TieringEngineService.exe
Token: SeManageVolumePrivilege	5140	TieringEngineService.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5256	AgentService.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeBackupPrivilege	5804	vssvc.exe
Token: SeRestorePrivilege	5804	vssvc.exe
Token: SeAuditPrivilege	5804	vssvc.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeBackupPrivilege	4592	wbengine.exe
Token: SeRestorePrivilege	4592	wbengine.exe
Token: SeSecurityPrivilege	4592	wbengine.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeCreatePagefilePrivilege	1096	chrome.exe
Token: 33	5296	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3924	1312	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe	90
PID 1312 wrote to memory of 3924	1312	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe	90
PID 1312 wrote to memory of 1096	1312	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe	92
PID 1312 wrote to memory of 1096	1312	2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe	92
PID 1096 wrote to memory of 4452	1096	chrome.exe	93
PID 1096 wrote to memory of 4452	1096	chrome.exe	93
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3476	1096	chrome.exe	96
PID 1096 wrote to memory of 3596	1096	chrome.exe	97
PID 1096 wrote to memory of 3596	1096	chrome.exe	97
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98
PID 1096 wrote to memory of 1816	1096	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-17_6e21a17cdbabb50619f05005f00a3c83_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e8,0x2e0,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5f389758,0x7ffc5f389768,0x7ffc5f389778
    3⤵
    PID:4452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:2
    3⤵
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:1816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:1
    3⤵
    PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4768 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:2036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:3528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5344
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5412
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff795cb7688,0x7ff795cb7698,0x7ff795cb76a8
      4⤵
      PID:5448
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5488
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff795cb7688,0x7ff795cb7698,0x7ff795cb76a8
        5⤵
        
        PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:8
    3⤵
    PID:5172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4520 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:1
    3⤵
    PID:6588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3632 --field-trial-handle=1900,i,15787444756492877106,7203462738517239323,131072 /prefetch:2
    3⤵
    PID:5736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3852

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5268

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c12b8e8094db6e4b359e68248d735b7a IYd+ZUBd00+hU/pyPGdUhg.0.1.0.0.0
1⤵
PID:5748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:6300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
6466ef121b6d690dd0a4e4286d270d53

SHA1
20676ea8910f9150ad36e530af8e8e0a0d890f62

SHA256
4ed55eabf4968f39af7286805128e7c98b7083e2eab4ad7c1f2192ec77677862

SHA512
529096fb495083b347e7d6123d219013468d2ed37eaa80cbe8ff567821fb9014e7ea7361bccd1ac899a2f268957147e5f62b3ca224a9700a0847bcc6f3eb634a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
88ac384a98dbc27389a1b30e3f7fed04

SHA1
3204f6fde485b60db3db9eaf8e938c7877001f25

SHA256
5cd4b2883b34b7447b905c34adc6a2bf802614cfbcfedccb263361e543d08d59

SHA512
f12e9a07fffd0732517a3fcf86187161a915a0a23246e9ebca403f6d43f2a88d3d2654c71e97b5a148f733f1cca159a9dcd1ad394b7f7e76d351258b5dda63ed

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cadf56235c8385ea4adcd22043e3da22

SHA1
77c89267fd9a6dc89b238cbc8565de4a97776552

SHA256
185d1bfd7ac04b9d8e127d038bf3fc5fbad71a57e72debebffe2e67f08738bb5

SHA512
72996f453f060401c7eea0fccde56217ab960f702cf284b48a9ff609617b08853b002148612a369550a5ae3c866f0942ceef9266f89a813dc36f8e87bdd5d3a1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cffcc28bf1416e301c60d126c4bbde5c

SHA1
f3cd6837e3ae890cd480ea9a0e9ca00b78d2ff6b

SHA256
6306a18d70cf36655f8099e0a9cd7e06619b2380fefb2be1f5659920fd9d6c39

SHA512
80e761e0d7e84b5649ef9d156f933ec04ca13ec67a68989b68606d94651f1dc449250a5fccdf01162cea1d2fbc16c8928e5e93ddbbcabb831a9233c641d7b4fb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfddae143ed9e4115993c47ee9fcef40

SHA1
9220cb4303e1255651707d32660d496694ae01fe

SHA256
1940be3c3f48761ebec535490d14c3d621d8ba1e8b6b075a4d91dc4cacbc3b6a

SHA512
0cd62be7b0e898e390235e56184a5b157fbf27e0d02b5c6b9fc7804d820ce2cb410e6d412b032c6796d3075f580009a7ae722eca773b73f515da4f01ad5a22e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ceb62a060acd9c273f7c28e302894a5f

SHA1
4bd92e34a004ffe6e1840f7fca1afcc0d4ad7c15

SHA256
bdf7d51232b3326ba6eefebf9b55cbcab10bb775a86aab9345bb62803dffcc2a

SHA512
d3a1a085fe1e639caf6b04609b679800e0278dcf4e2dec8246f931885883d496b53c5b0837932867a4c919974d85950bda2ad6c153e90ad7e17aaf3e64fd8452

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
95cfa16b81ca77a1172e5a355e41b0d0

SHA1
cd1ba688e01d9e38dc8f0aeefdca4cc46c20915f

SHA256
3ed165450bb6bd8bd43f0d7996d07bf1ddbc51e369fd08df6bd8863aa00ef82b

SHA512
6c6e6e5e23178bcd3f2ecd6b3f9f54d5b50aa0866a85fc851720bc217d19d96e316656e3d56a2276e8ed94eac2594d1253c03e4845f30f7bb1013625ecae5df3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
3.8MB

MD5
c994cc5e439b71c9f253c8012f75b328

SHA1
27f06adfb9ecb57afe8221dccc34f4a9e540039c

SHA256
249e5123efeee8d79545ee0744b7e117bd5f2a87bf80c0d7f82a4a789b27435d

SHA512
1499190d03dc415120452008893235e6fcc4519e7db7a55c18ff68456badd197e4e8aaa774f8c696acbe628d073e62fa93e111fd5d6b319bac05ccd473dd0884

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a1f1254912c6e0f7b9de0ccb5584fef8

SHA1
cf50fcb7f9885b0efc8a0bdcba74dc0aa78e7046

SHA256
041b39e1085433225ccc757977417777eed9fd47a072eee8c7c9fbadc8c61b01

SHA512
7f1d24e24f4ecf0b155e8de47b3a87e668a7d15c8ca40d1934baa059decc73923e010c161f924f6df01cb067f41e116409e52e17bb00c780e63e6c9d6a2e2f51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.7MB

MD5
d95be75a4d09ded270030de715e4f771

SHA1
ba8d2723cb16206a2f9aea1048728e0507809459

SHA256
774d00c80c995bb79f9b93502062db628e8348b0544a5c894089b12714de3ab9

SHA512
6ccef228706803b33f20298f5e275fc16e1657a396a6c7b5a518d47291d8029eb5c0252530768d8c97e025ab4123b4f56c040130ed2cb0f5427aa375ce22ec6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.8MB

MD5
826bafc27bbd55dadd951041986fca57

SHA1
929796035ddb1d5749c22e8b519f2995b20ad44b

SHA256
0484c5e59444db2db20c4c6d7fb758afcc63ed9d23964d26639fb5ade37bf2ee

SHA512
07a2067ebb886daa6bd4329b738d5549d13e47ff00c617124de9ef7dbc74915dae2a543208904bd406e541de98664861abd557833b8d870455831ab4c4a1273f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
597926e15397322683b38e8b79cb0578

SHA1
f7e8c9176760fd94fc6173c85803ab1eda63d0d9

SHA256
32b38f63cfae8187a5af0e459c9e2b886ea0899f8acdc5482cd7246e1c17c585

SHA512
e2b38e1a228b0b3aae5edcd2de4e62e63e5da4a540eea94c92d59ecd44290a440f042d3474d8b3d5c677b79fecf915d4d60f723b9699d5e738b7b7ac9795dab5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
44d0f0cc732b5a42fea66662bca794cb

SHA1
d477c3d7537305d61fc782376b345d6a71f905da

SHA256
9fb824ac151ac9938405d7560f1e53e2151067426c27872a0057be5205c74525

SHA512
7828ba2f0cf914d8fb2c690748fd0ed2ee89e9cb43dd9a16f97cc9d1e998871698a8ac87bad1703dc4dc7e615ca4438ccfe74b0c7c19d63b36eadb9d77b33258

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f95d5571807605737b2fc9781814935e

SHA1
306711c6cdb03e91a3f810f90f1e383e7078b880

SHA256
7c427c7c07c3cb16bc9007f7cc17748ee048042414be35ca846cab13d1cccb81

SHA512
dbfee41affbee03fd42809b508240d38807a0120518aa3aab05ac198d4263a29deea738472105596feb83d25af7e69e758e9f9e654246340887a0077756f6cdb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
766858a90d40d16a691c79e4d6e178e4

SHA1
0e227acb7ae64a623f25f678cb795b0fe63ae91d

SHA256
389d33b174345d081e410e5bb60374a49bc9663241df11d8e41614b72f9697d3

SHA512
63e792a40929a68ac3126b00b84e45e4f5d2c0f9ae7fa04dc7518485cd69f2d08de98646ee44b78711c60c72f2fb82b694866bb771ad07076aed52b737e45e19

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\be8df509-c21c-4218-84ea-2e0f0243a3d0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6eb0d7ffcacae1e797f99f285ad24fbe

SHA1
53820a4e78091f12af1365e3ddc8d898df490360

SHA256
a320682caaebd97a258eb75b007822c91d3ebc77a5456189a0adadb7d6d28a45

SHA512
6e7b08d03f071604d975544a8206a22a8cbe627d7e3fc89bbf4fe621452fee6fa8cb439450fec1624711b8d90d663019b3e7fb1ba22fd9b5fe512ecee6e7491d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b6ba1858162a55fb5cbb85d13b6ebec8

SHA1
06de199e78a80125e5ba555042eada42720d989d

SHA256
5552a0757f40386f5afe79fa0fd495a156fc75e3387959e29f597d78c4ccc0dd

SHA512
497ed0b1cfd320c9cc1941760c25a53e5df3607cccf20f5e2d5f2bb981863a542fa8824142a907209b402c9a767d5167e36d56b607178bab638efc1757baad19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0169ca5f48e0034fb17e9c3c57321ec1

SHA1
e491e299810cc6736be0c97f46de327bb0c35af6

SHA256
175641c134fd93b330a56837fe0d9e05259d7119df269a89ce861ce1205f16a0

SHA512
a08bf27b3c05ac0d0371d6aca744454d7e9cf62263097484412be27c1fe5d8c2a4c8e65a06d6249475898fb0f21208abcf440338e0663c1dead6fd31578fc678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b964ec82777dee53a926ad26db0def4d

SHA1
d8100beac051ca2c92d7f54766675d0a1c9ca0fe

SHA256
6d4701b99abb385a081b4a6eecd37a99b578988091fe2e3321118b5765436b08

SHA512
28914addcb90ff3cb68e39fc28f728c39367c189dfd8f0982ccf957bfaa9080a13542b68027a4ab02c4158ee9b8449dac81e4260d2a01f0ee3d61cef7ba0c6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c526d75eb2e31be22cc594adbede2e01

SHA1
50f6ae58f702db0d06350af82abe1659fc658540

SHA256
94b3013b7f57b339cfe2a38eebe429c41b3eb3786362ee4f82c2e1dc24aa638a

SHA512
2da35b3c5dfa73feaa0682ac07702ce2f8fc56cb042560ba441dd89618a5afa7cfaf1e2005b10d2722b09dff864ac42ef7ced1138cfe41abd3c1c8abcb4339a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fa3d322a6b874d3844473885ac293b0d

SHA1
6d2433eb15adcab9d129ea25966b6b2827291746

SHA256
60de201656b9c45732e515000e957c332209deb01fb1dd2e9fba68d2bfa1cc81

SHA512
8b5bb45c899e189fb3448330705595ee57b67e443a9d804e5c91c6cb87cbe64bcd4da50ea7dd8916ed84891797d7e3b8bc28f318dbb6e7d01941937fb5306397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9cc7b9a229f284882060092eeefe620c

SHA1
76bfdca73a034d7b072b773d5201edbbc2aa21e1

SHA256
e81bbceb60f102a7860e8c831f70648844c0e4aeeea5698e0c17da791274891e

SHA512
a65e44b6d89f54d5b7791352a4904e4375d712468f9609e3582f6817c5dac2af9a95a4770a317fa1637bf779040742419ff3fd3d24916b1a65e543a64565db0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582db2.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
425340dad22fb296dd6a0bd7ffcf9514

SHA1
c4d7df44299bb1e604ccf690ebb9867f76911342

SHA256
a953216ba30798588213bcbb94dbd5ecf075460e36b24d4da371f239686f3813

SHA512
afb8198c3be1d9526b80a9070dec218fd69601d9cf712b87508da783334ff10ce6594a4b594baf1ddfb7bd95c2b41e30d417b0a9f163913b0c1960c7061b53ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
ea104cd6640a43b1f21b037865b77f40

SHA1
3c89a790b722aee5c235f7220f4ccb76cacfa1f2

SHA256
fa71431f9e7be7e16ede09012cb156db88c6f2b24644d403fbd30d884d754777

SHA512
28918d392e121f5493c03ef2c9914d58a4f88b86bba70e345e6ee574b54152a19de460f84e42ec3423a478cb87a00ab493097d7a23db6e4902c303d8a2b30448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f166ed7f-d0c1-456f-8186-dba7cbbd088c.tmp

Filesize
4KB

MD5
065c4b1658e0b7dcba3247e6270b15a9

SHA1
b0229ec8b22e5dc26806bb5caf2e05dca2640aca

SHA256
8403f40b437ec9b4be44a3493c3b21055f076d7a4f252da60703c320ef13e875

SHA512
2b5548e11ec372614bffdcb31749a11f40d6933fc0e07c131e31ed725da2fb0a5d81542863731300a60f9c2275b20ba12aca43bc49e5bdc259baa7bda8226e5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
e0ca39698ecd75fe93a151db223f9219

SHA1
fdbaea7e221c6cb5948a91711c73f9cea9212180

SHA256
b055728341d6287a463ef4a760e071a8a39a6f2b5db2e988b5726d870bdee53f

SHA512
a470e6fc1c8f6031b1c07c3ee965585039b77f4d17a526ca41c1aadb7b77089c4122b7115cfd091e97be7b0509b4c1ad25eda8fe151a9e0b5e3a80cc3963f742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
ec3865dff112cb6b19eacdf54ec70122

SHA1
105b96ab8d69225861cbd99a0353b59859fbde44

SHA256
0190112f60511ef382d0908519eff347912994c1d4c5f4014839a7dae7b761a3

SHA512
7dad74a60d7c32461c5946e8528a73bdfb74961b7b68ecf242728bed8da4ec41eff762a713cbf15eeb73c78d44f994d3aefe171538289c23323ef5dfb9f30479

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
574d9e090a3f889d3ebe8a3b32258a78

SHA1
6f3703c7904221c2c4e62b72b2b17ab0050fb5d7

SHA256
2efe5de82e1a1c42a23d4c4346e3838778418a0567ed09b6bfe0f20308a00020

SHA512
f84d585d7aa207dd36f64edef7ecfe5d94ff52cc78777bb41e190dfacd9ca47f66bf290a702fd2f6a16165e52017d62ec1c4e72e5d1ee067be5c9d6741da869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1096_679268566\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1096_679268566\a6cf0e13-caa2-4dcb-a15c-40166d2c904e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\edcaff7bb3e2edcd.bin

Filesize
12KB

MD5
b660e1cf37c32cd60cf1dc1f9855fd56

SHA1
0587715f0ffeed0a1f25b202fd39278b2a30bacf

SHA256
02cd76e549bdb1db73b232e95498a17c8580941eb4c60f31c35886b84bbb9279

SHA512
94f4b545c20f00e8c9b57881ac734261aed4260bd2f6358c2bb33b9d45bb6af27ff409cb7758acd5ec53d66d527dbbb6277117a15ef312a482e26a1a572fbd51

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7c5a6d4604502e26cc48a0791da8ae37

SHA1
bd46439fc0684adb9ee6e7a95886807877d1e2eb

SHA256
1097e6718bc6227a17c33077413fe2a21e1b89416b1f0b04060894df33039ec6

SHA512
9001598539d87f4e62dff3428486f3fa3d4bfc817bd678785ce319f78eea0a58c4050928ff43cf43f695207f914ae1b678d7d69a6664b25069492d2541aa3907

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
34d2875dbc1518ba69c4cf5bfc18a0eb

SHA1
59234f173d454eef4c97c02ab1c8e2979d86161c

SHA256
4fef9d3a6fb150b956d4c940d2abc7b2cd93199e2175c967c1ce5d222f9d12a9

SHA512
bc289552d1c83af1ca936d3fd560559fe0caedde5a79ad2e1a33b52fa769ed113328ce298d271f39d8daf88ea6731ceb423771911615949f922b520d19c89b41

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c3581627d0eb67a912be8de65b98f969

SHA1
188bcab888841afe16447aaaa076b19f9b71c4f0

SHA256
25ed174b88711effdcddf521bb55d909a0fbc4468f41ffa8f769ad452bdf956e

SHA512
070819ed0bc12dd407f283e57e3ee3634a659563fd604b6f11ddc97c1d18be4429e41286ad5ca64dbb346d4e7e6e1399244cf9334efe564c36bd0c3727bd587e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
543d4c4f0fc8e95d448fa210e021b6a9

SHA1
cdbfbb2b09fab01b7fe5bd60b15a3d76efe7ff3b

SHA256
0ef93f73f3fd75ec8c29fb7f4cb3df805a7d40d832e41f31fb82dbfeaad762a4

SHA512
f0df231818a176a3c458948af99ef3d7f2b8a5d5b9506c9ad04c59011fabcafa73ebf1c3f47bafa9b89b7b535399470c6dc28a09a5dbebf8ffba88f392c1e8f1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8675804483aaf6f5eec69e0e6a9c7b29

SHA1
b5617d399ce7b0143595916774f9d7ea393c663d

SHA256
16325e55503d2d446b8601a522d9cda8ce1af52e6a0b575cf6915f160eb69da2

SHA512
a82dbb2d4b6949f35ee7fb3c23bdd8bf2b1a0f6b5db85a53b5d14e9e0bc7da8e84503b188eda859dad475e06dd288ddb4b9a2349ce0d3904aa93082e17a9abbe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6b85110bca9e674cb428bdbf4f850b53

SHA1
6604c6412d5bc8df5b280cf21a3f14ee8309a423

SHA256
ed3da7eba0c3ecc39b0b63080fbfba02317187e03ecaf195a7f67a01421e6460

SHA512
79d4591afbf392b7c769a739ef8324b6da18feb04ba2262ba53436545e3dbf4baec1d15be7f5949a10df19a4e7f760265188aef0b8eb4019f9e2d09460958c9c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2477409b70113012d21307f489e3e3fb

SHA1
da60c190aa535a66c8f4580510057d9bfaf9c5bb

SHA256
4bbf9aa53981baa5e077bfd20e838a0c192ef684c503053014430d67b487a251

SHA512
18f4e15be1bdd22aeae33f5b92f9e867a1e15aae937a585a7fdf53f37bd22deeffdc2db0f8cfce74ff0edad46dad94ea8a78f4eae040746e27eb48f2d226463f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0514b4758328de8252cfc9324df09781

SHA1
bb8398f271a019a4b9698a9f066db4cd4974f84c

SHA256
17e05ade9a7fa7cf7b2ed9c44a704460cbc4210415e8b37c9f38f10518b4e13e

SHA512
14f8b4cbff39c279a2b43887350b46f257908321081745401cb4c5b39766ea59ee37737c8c5752f9eac94c8b7fd199db1c0948921abaeff816672128c57037bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4062ed18c0e82371db1590cfa1637b4d

SHA1
932d60c22ee9d5a8104b98b8a8b00403e9ee674f

SHA256
edd978230e84a25a51e325af51c2cc8536b520c6f9c82abf8f4f3280425cee86

SHA512
2c6efda37c857e38bedfcddb56dde43fc9af154afa5b5908638c51f8bb08b0a4fda1d73ac028d17e1340f1468682ea4f942c306ad8d47e056f5e1a0ee177bffa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
46bd42af2216f9b6425d965b9298f563

SHA1
45b9b2d0e39d8582fb776cabb8b8a5bc19cf27ee

SHA256
751a8c505600366d1d7f7646032d1bb0f6d9050879896915c1f5225ae4b976e4

SHA512
282940369741e152e8996c35fcb36af5adc2e2d4b441372105eccd029b2386dcc6b4540d1c8b8f5208c20998fc25a9957eb516a53bbfb6dd147ad9bc2b052f7f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0a80b25a9db4d9cc847469cd34b41336

SHA1
124a8b1daab23bf1cf432d403407ee6eaf7f070a

SHA256
5f311574b0745901610da8cd535b1d6f29a85d1d58196363d49df4788b7f7390

SHA512
b040c1cdcccece2a8be7be774d4601822cfde7e1eca727232889cd24712a4809e10dcfaba933bb27454cbe9eb01116102ed46fd7b899ff057ccd6702dc23e048

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a8fb46c9b8ee79b65450783b449f2699

SHA1
5e70949f21078f3f31d91c5fa5730194ae45e73a

SHA256
f2bb39d5d218684dd138a46f6573df3018a2fe7e40f10661639f73354a9a1a6f

SHA512
87ab59821909f98715a7ff08ab8727e6466e89f8bb03be5df5dae2c0d5686136de2e771c4ea0186098ea8336acc77df8d1783d3e80136102a7425d709d66ae50

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
445cbf8a90942568e1cc5e45e0536bbb

SHA1
dca0dc42fe875d9ee3ad02746b83fb10b4ce97ba

SHA256
c7021418497949c157a83f8889aadabf9b949cb9bf65b9a7cccbd2a2d61c3955

SHA512
b0918c85d6d30893127349bb0f5ac505c08afc1a119253b4936d48b869ed2c743e9c0b0e74ee8313de832943951638da38716ac9092fbc6660d3d9fd2dbb2dc2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b4150127867b3489d1183fd19ae6f60c

SHA1
1fdeb1777ec5b072e07331a4d616a9e080997cac

SHA256
548d5adf990402dc9b9067410b66853ad08bb8dcb7c4cf96449b48e6604c99b5

SHA512
c5a8565d67d8e39f8189fbe9750b061baf83bd7d8a8a8080126233e5af69a6a0b375ac0bb8884099dc3e2280dc98b02ca44c64999bb458dd4772d9d20feca6b2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
80d89f2d6a2892941d2a24dc53c68365

SHA1
026c654cd5fe44d65d637497965fd42391050c81

SHA256
1b3c5582e384a8ed8b01b00e818f7a769ecf5fc952ad8b18f99d50eb75b864db

SHA512
2dfe250e354591b1925923c61fe8d01340d9fc4bb1afd53e298d395d79fec00a822e7db68509c5d5f76c0c83bb66837412644504384c6a87e6736c91e69baf02

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e8850cc1f20f5c231e0d0597e2f55ac2

SHA1
a06362e19ad231b5346534d455e1e3bb10f57efd

SHA256
1f09c5dbb8c7baff741e1188b4b7dfcbad1fb72b296cfa0f10c0cda9a4a33dd1

SHA512
ffe154ab493e13ad68ba18216422463f7451a1243f3aaba40a320817d49e104c77515d3322b2d5d314e17f50bfe5a5c662a7eca325f97bbbe465ff368f029c3c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
448KB

MD5
f488a0156a3e977c6139d0ad5f08d121

SHA1
0492d190806a819ffef3ecf0c66eee78a6ae4774

SHA256
cdfab7091b8542be06992cb204c0d0e28edeba6bddd06403e2cb7d9e2ac8b433

SHA512
7378ed67906d2c8387baf248cbfc1a8a7de8f611241fae64d3b6893ff2eb4a325470fa9c2d69c8b7c4169f2407c835a27aae8fd620d19754c8b14e17b4040058

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bda959923130e9621450835e06257255

SHA1
ac2b9f7ac4bcb8b85663a063111364cb0604382a

SHA256
a820cf2ca95b3571a287269b37ed17398f183f76c775592740878820d6f4e470

SHA512
486b0bab9ce2ebe37d58e4b10b4018263782f2f007b5fdf0857e3e52cc15d3d694a524377ac6cf5a2c9a05955c30ebb6573e2143b7917530ee3bfb3333d81b6d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb0d60c26791d16909e11814510951e5

SHA1
3378db2258950c7d70e43ee5e39766efdcdffdcc

SHA256
31460737f21dba2d7785924a7bb4ca12532903424829a5478e68922c52a7f8b4

SHA512
02a832c2cce2afeab399daa9b87cb1e6499192a031ce690be7088be3b762f39d013fc9bbdfd41c7756d61ae55094c6d829be7605e17fcf329fe399dfcf7714ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a94dda8f019206fc93e91e37d8bdd855

SHA1
e4363d4eb943a413281b4071cf58de5dd2f88530

SHA256
e9fedd90024e61f52fb9b9ba13518c2655755ce895bd6458a5041f4270ca4a8f

SHA512
a013563e0bc226e0ffc078ad7eff4f10163491592e32407ba8cbc6619c9524891e6be99cf956cc828136282c90b5e14ada24ddf32c08a51d2bb3ba2ac674289e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
952060879a569615f5cf43ee04cc6f55

SHA1
d2e70f928fbd08a8e2356bbb294bb00ac27559ef

SHA256
fc25d2c893984045a50b83604f0088879870dd64c77ffbb5dff1772afde5faba

SHA512
e0e98cf0e37524fc362494482233ff40b0c0d6230b6b7e38765978e9603105bcaeb44f4bc1ca2b981c0678ef8cead25b55a09c8fb677fe99a70cb6afe4709fe7

Download Submit
C:\odt\office2016setup.exe

Filesize
4.0MB

MD5
f708c6126499fe10f18b8a8fe4a69c4e

SHA1
7fdf294d7ff7629e8dc2134c78b9597a045ed8a5

SHA256
1ef17b0a8fb6fd163a7c8657ddd7a2859faa9369f795cf28133aedc999b4078e

SHA512
df224d8422f69046ba5b70af121c96ab1bb470cfd60077cc3086fc0f3c5e2cb7d4a5d7caacdcbf962bf2240989c6ce579db9dcd3f909c94bd01ab0f70137ce6e

Download Submit
memory/1312-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1312-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1312-23-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1312-8-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1312-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1348-114-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1348-103-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1348-110-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1348-205-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2064-118-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2064-41-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2064-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2064-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2064-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2244-137-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2244-136-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2244-131-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2244-380-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2244-120-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2244-119-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2244-176-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2244-183-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3004-47-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3004-54-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3004-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3004-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3132-101-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3132-99-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3132-82-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3132-75-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3132-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3852-148-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3852-140-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3852-354-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3924-107-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3924-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3924-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3924-19-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4420-88-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4420-94-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4420-174-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4420-86-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4592-611-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4592-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5028-366-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5028-161-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5028-167-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5140-429-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5140-421-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5256-436-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5256-456-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5256-453-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5256-444-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5268-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5268-416-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/5268-335-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/5268-393-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5400-346-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5400-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5400-355-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5432-359-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5432-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5432-368-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5504-452-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5504-461-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5692-382-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/5692-372-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5692-449-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5804-594-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5804-583-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5808-395-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5808-385-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5808-582-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5992-600-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5992-407-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5992-417-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download