55cf6f539dae98fd43ca8920fce9f764f3f300660137a5a7b4b5a877dcafd8fd

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
Size

5.5MB
MD5

8925f8dec474651025dd52fbbe68fe3f
SHA1

fb37325f167e0ea257d2338931409951b4a7997e
SHA256

55cf6f539dae98fd43ca8920fce9f764f3f300660137a5a7b4b5a877dcafd8fd
SHA512

32c74050cd91322f868ed484b9b0ce74f0954765a4d28fa3ef6e6696294a6aba2dc01752d773e533168b6707fd76daa03dc418358af9ff7a45ff43bf0bb29971
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfB:XAI5pAdVJn9tbnR1VgBVmRA5rC7Uc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1572	DiagnosticsHub.StandardCollector.Service.exe
4632	fxssvc.exe
4116	elevation_service.exe
5092	elevation_service.exe
4708	maintenanceservice.exe
4212	msdtc.exe
3668	OSE.EXE
4528	PerceptionSimulationService.exe
5544	perfhost.exe
5880	locator.exe
5972	SensorDataService.exe
6080	snmptrap.exe
5204	spectrum.exe
5288	ssh-agent.exe
5108	TieringEngineService.exe
5600	AgentService.exe
5720	vds.exe
5888	vssvc.exe
5980	wbengine.exe
5376	WmiApSrv.exe
5620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a846ebbdb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580701403088237"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1b7a4f0f092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bf2cff5f092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7a92edcf092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6e6d2e7f092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003312aaeaf092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f7c9e9f092da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faf47adcf092da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002fb80f0f092da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
1816	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
5864	chrome.exe
5864	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3108	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeAuditPrivilege	4632	fxssvc.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeRestorePrivilege	5108	TieringEngineService.exe
Token: SeManageVolumePrivilege	5108	TieringEngineService.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5600	AgentService.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeBackupPrivilege	5888	vssvc.exe
Token: SeRestorePrivilege	5888	vssvc.exe
Token: SeAuditPrivilege	5888	vssvc.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeBackupPrivilege	5980	wbengine.exe
Token: SeRestorePrivilege	5980	wbengine.exe
Token: SeSecurityPrivilege	5980	wbengine.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1816	3108	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe	92
PID 3108 wrote to memory of 1816	3108	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe	92
PID 3108 wrote to memory of 3580	3108	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe	93
PID 3108 wrote to memory of 3580	3108	2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe	93
PID 3580 wrote to memory of 3480	3580	chrome.exe	94
PID 3580 wrote to memory of 3480	3580	chrome.exe	94
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 3812	3580	chrome.exe	96
PID 3580 wrote to memory of 4944	3580	chrome.exe	97
PID 3580 wrote to memory of 4944	3580	chrome.exe	97
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98
PID 3580 wrote to memory of 4136	3580	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_8925f8dec474651025dd52fbbe68fe3f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfab79758,0x7ffbfab79768,0x7ffbfab79778
    3⤵
    PID:3480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:2
    3⤵
    PID:3812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4892 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:1
    3⤵
    PID:2660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4532
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff723447688,0x7ff723447698,0x7ff7234476a8
      4⤵
      PID:4080
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:4956
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff723447688,0x7ff723447698,0x7ff7234476a8
        5⤵
        
        PID:5124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5388 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:5356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:8
    3⤵
    PID:5812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5488 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5300 --field-trial-handle=1928,i,1700223884488359790,3256353644267816211,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4132

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:6080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5204

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
90d931bb6b576a98acbc3667e90b9aef

SHA1
cf9a19eed0510a3c86a54cdc5a010fe6fb4b81b9

SHA256
846fd028f43e1fc1705e4863bd4d33b803b71c8c769ebf8828207c2b78339412

SHA512
2f89666813d09c30c8a7797d62b375083be45254fe6c41e18d6ea9d8a9065aa45c4ea13012d34e5efd296c7f0f417f479da7427fa0a204a775fc88912cab6b3e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0e701dda0751e493c6c07873f7eab9b6

SHA1
32a2d61d4d67d18af5be71cf4b64df7555f45107

SHA256
3a1a62ae1034a1b7d00124c4a33b002a7dd76806825e61659bbc80a21e374a88

SHA512
120a565aeb7d6fa18160e5c6912cf9c9c643aa9fdf7c2230ca8f3f3e4935e9c6a549d060ad99318a4b8ace464763bc91ef29c830aec2d152eb14a833b8345579

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9c96cd0815fd148ad4e28848b997bc65

SHA1
56be4abb33258bc5ad739de9007d4aa540e211d7

SHA256
7d9846d10f446b235d51ac1c7f6c55626802d2074f3efe36f311be799d314779

SHA512
f548cc1807aea67754158df14da85dea751601f932250124eee997cd3dfe4d65c02c25dcfdcf23eb994e756939ce943b8cebfcdfa9e083f0e6eae1f3a949fb7a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ddbf1dfa31f577bcc91c44cb8ff1e160

SHA1
fca3cf7fc1ec39949e3adaa408e00297f706bee7

SHA256
58de16893630b272cc22ef1db08e67845e642b154a420b03e1d5d17062bd0b1e

SHA512
d2d752a0c97196bd7ae8abc3018696774634371e5aab39d3c9cc36260b15f130f3d3e336a084f157490376d5221ccbb191c7daa234985ec4e91911d070aa5548

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1017a993-e607-4be6-95d4-124483e3a5e6.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
134eff706665127dae9d28fea44e3b5d

SHA1
ca2c50434f581e2ce6a41825236e645efa0b237b

SHA256
85d36244ad00b32338b5c9651c2611e0e9cf75f3c510667866cbee852296cc99

SHA512
fd142d22649541e82a0de657bd0addf830c57fdd3a596055e63929b1305f0ad67135219f72ecbf04cbfcf335f95a9a63dc2c4128cab5fecb6ba08ce0be760532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
af9609c7de592d5d13bfce8c5d4a6ce1

SHA1
b789860fc267b4a9d25f886d8c135d15e868ef7e

SHA256
10187862746d1ea64b4eee9c3363041996df13ea40b6e96b3b67ed91d07c46c7

SHA512
954594669bfab524167096920d318e17986c9010a9b91fbdbd08bec69b623e671a4a3fcba1786bf7cc87ac375ee5a8cb9f2fbcce2cd3aba73f35a9e686151a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
1f0bbf4fca074c4d8d677bd1f477412b

SHA1
58ed8035e2f61f94b4d973f1d44e542fab4d4b7a

SHA256
10125b09e2d25030003efcb45a5af77f3b1f20f42ed5f12d54ce7df34d865ada

SHA512
2d2f4e430ff7a2118ee015ecbdfd47bc4fcfba703a783beed55d1a47ec0befe6ad52143fbcd0f403780ffbde82a4dd66cd0e08a7be94d5fd1c01933d674e79f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
01e7e17994f0262e296d836b5f01f2ac

SHA1
b64ac0ec89326cb3502e2062ff14738ab0b44f17

SHA256
cd2f293fd555260fbf9b05b614b28b1b231004d657342240e6e62df99aab4696

SHA512
cc7cb745c98927b98b68e7e996ebbf8a19509a020226e13159feff27a3f0c14e376d266d1b1359cf35b08f650ea200f154a3af2e01a4116b1ac906ddfc2999ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fda36b32203ec830c61370563e30fde3

SHA1
a10bb077aaff030bd9a29ea0a72900246a32b7a8

SHA256
8889a1c6a77f45fc7d96f60be0645d71a6ed4f0c4ad03d5594321766bfc26738

SHA512
dfa9bb24e611a847b5bffa0b9cbdc4d357234afa5e1d3566b41cbdb5e6f3eaa72e72b692053571a3802ab6a4991e6049a365f135c570ae977c8663421942a1be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
aa8ecc5398d963bd47732e03a6029190

SHA1
3accc092b8dc81d64aff7afec314cf69597d7757

SHA256
978f12c2a44c33ca5806f9fe38b81de7148db8cb7009e3abc690b37271575efd

SHA512
49ffbef4b0ffd1bb927b9451ac40bcab286c5395070beb8d78cc371873441f0203c9c0194f140f9bd6b23cf1c6bc600f0b4271bf9d2b3a082649f8dea4241cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
18b19a925916b6107e176261dc89bd89

SHA1
d77be40d7519c11718c05f2481bfbe03de9839d5

SHA256
cccacb496cb98a37e933ca2a387ea616ded2b94be82acbea876f6d09c3d3ea9f

SHA512
f824512b5f90d8de60a8a742c0d61646f13d50adf81a63c83b4440e64a018344a74fc9ad8b6583dc0221d35c3a18333b6b4a86fda794d2bc8128f680df0cfc4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe585520.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
405944ccdc1ba298d3211d4c38e91f82

SHA1
5de5b0f1bce7903f26d6ae8f65c066bc1bde3c3e

SHA256
158c06131cbfdb258e09c122bdcc1d8a3391a1b3aaa35eeca5893ab6e43fbe4d

SHA512
2a4a347e348f8c90cdf42e49d936b30af83c40727f42c751685d33fb798059021cc09121e7c19400fa76105866ef0cf804cf7e76ee90c4bed4dc7d5092585034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
c2c1e3f080f412e3b34e2b0a0b86218c

SHA1
48a4b0f3f152c261da99449b0e31c6a2cbb5f833

SHA256
dbcffc0e76105a9e4140c058f9d3abb04db30f17079078f3921b035a64460f68

SHA512
2de3cde29342762aaf40b6b7d6417144adecaf0eaf0239d73a928d4282de77fee21a010373c817b63788a6644c11ced7046a9d2b841109e2d2108625dbfbb6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d8d81ddf-1aa0-4168-9291-bd41325b581f.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
264KB

MD5
1cf689f21fa4842e559b5634e6e9d162

SHA1
037208b1ec457b1dca30d27813ff0ddf10350c58

SHA256
51189dbd140ec273c9e76b114f941c5cd797e02d3f49d96e578e0946f056c799

SHA512
918c989f51ec09282e632cf55c14ad38cc8c3c0c83924f467140792abfd5de2390f0da94ca8ed9d3945754fb46d6a0e48bc8c9c4ed8bfcc655f4229d14605252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
71f4dbf7bf64990c42bd472c01e71f18

SHA1
0b594d3598a68e10e9cd912c520d64046b8c218b

SHA256
e1cd7a780cf6907c68cf73654f4eb1d7e8da519e70e4d99f4d8ae8ea4e5b6af2

SHA512
35f72fcc64b9ca7af6dfcfe3c036352834c4039cd4e7fb253278a17049fbf7380c7349066c55b5a24fe9a9ae4c23984c2bbb779737a1f6650929ea0ac63d729b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
334f30aa8f274d39927346f8b24d410a

SHA1
3b174e60bac892740996df8bd22f4b25ea1daa77

SHA256
571f5213c53469be371acb17bd774bb6c892b2beb398e532abb3cf067c60d2a5

SHA512
446cad7549b548d2a0c40b75855cda710845982a1c5efeff1befc111fb67ce6e7e9edda3a073fd4a78a514921754d7769280501b9e5d2200c97a585b98c69a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3580_1384435935\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3580_1384435935\bd433b2b-6fd4-4f2c-ac3c-94dd9d081524.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\a846ebbdb3e2edcd.bin

Filesize
12KB

MD5
d719bbeb4e1dd94bb2ce6f250425374e

SHA1
91de3eab8e9e6a08f7f3aa13181f88046942681d

SHA256
5e9eff1aeb9757acbe02e6d4584d9edb7b7c0a07d8f5f45ba7d02cfca5e2ce03

SHA512
4898b2e2ef5e5adb94e9da3e3df152966a8b0941293c32ccf1a74d60e287861725bb966b72906a6f3d3a2c292ba005104fa072bc72681fee87f2eb2ccee8b8c1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
80342a4bb784e5500cf1088eb6c9750c

SHA1
135c117bb41f31daeaf6c5d882e39b82d9da9cf5

SHA256
324b829419cbec1b176a28905aee2948b6483fd9189c6f19f3ea97c9ec737582

SHA512
db0ed1a786516357b759c014f90ed20163d02edd9e661ac6c1b6a007c64034446aa1eceb7109078c25deb75ed4bf8e065491ecfcd7d665d1675c18871916136f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
530eb05e3136acccf83890d634960404

SHA1
8da6bba1662082c8a91082bd2ecdf35c4d445c0e

SHA256
36acd3f73ac9eea2e0d02e2f6c010922cc553dfcec0a34c49b6a8f18b3cadf6d

SHA512
ac3a4779dd10c3a4f851ee214575dcc6d48a50460a30ec4a2b34f94f5955ccca75b9ad86a1cb6a190292cd1cda139b502918fcb2c13d0ddd972e7f7aad181f7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1e4f0eb3b9758a309a3a953f54430abe

SHA1
4118b419ce33dbe1dbb74aff612cb56504de7708

SHA256
0b8c643aa87d5beaad009f86983cc87ffe20e006af9d8005380587e712971cc0

SHA512
66d1826a44bf23ca92107965c7e05308a5e2436df2093230757f7aa2871a483a8842edbe529ec3116f15ffaf43b9664fa03d46dc90872664161c5c06a62d0683

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
330d124a4a5af53484a00b204cbf0818

SHA1
a46678072d8aa63095b6b0e81b592664d0b28a56

SHA256
344d6bcf38457822c89f864defc58ef5534c096aeb35b7dd507231900e968b01

SHA512
37bfea179aeab9a5634f07d39514abf9056a125fb2f70cf6e6c932b239f9fafe5c0ec8c7efd38ab281ac7a5cb90b4c7160faf5049adae2c21cb0172c787f46eb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ce0362f88b7f2e904cb8eb7a590c604e

SHA1
26684bccd4026dc183d4ce10ccf8bcc6fc641650

SHA256
f3eddc504df047a3867297662f7a3f65efad1d494c6223156d2c3f90c6d936c6

SHA512
07474df9abb37bb22e720640668354c416397f29ec5f16a887825a1bdd330ef7470eacaa1e3167ffd4baafe3e3a7dc62f380f9ab7c0f9f8f9373e569b2915b98

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c42016cecc3d675e6720703e8bfde0c7

SHA1
345ff000a9d2d34b6879a7a01ae46301e159e78b

SHA256
2d4c0022a63f1d778954fc58df2597e2ce5c28505397688646e86d8dc2970136

SHA512
7b2e9e7f9488a3c62553f39d8b7be47c77017ea2e8dafa11689d201636c78dee6ff9c3a15e740eaeb901af1b34066b4c558706367fc2a978ce61276bf4210380

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
053a55c132abfa082b57d68ffb7cda5c

SHA1
d84eb2edc93a931fe63b85353ccf0e672f89ea9f

SHA256
5df53f3082fee98b9483ed0465d3e679f23a0e369d74cc4951b312482f0fe794

SHA512
f83e9207d687c75d5bb5070a7d09ba0d2bb6b1da9238d28374c980f3cc494f0cfb795795ec9f2b5ebb9a0d9c14de6e8db6eecbcc341d4dd854da940c1b9e5600

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
65aef8969c160e362772290dbb0dac2a

SHA1
6a0c11cf39ed514e43b8a42b8f3a45e6b523dc8a

SHA256
8ac02137e84fcac59eaa189ecdbe6abf24d2e74ec179b61e3e5c6ca176db190d

SHA512
65ec721a9dbfbfb6053c230c80a56337e476adfd1bfea248383bcf9e5621af4eac0bd7aafda2d32afc8b8456070bf03ea8fbeb884e05bca7f64ce6a0b2762629

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3164aa5fd5540b3dff3a91c2ccf92090

SHA1
0aa89d99d3bba29711f96de6cf41ccc53460f4b2

SHA256
7ee93ac09ec4febd065085088d5bd5fd60ccf8e31ec9e7a58e7a56a5141ed402

SHA512
9be8af4087562e73883f495e7cc96fd32bd7c7050445f07a47d3c845cbccc84a62577af9553285c1a6b350d047419d337f8c86c798e25a3ac30447f2f501168e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2940a282b1ead34325f7b0fd690f700b

SHA1
c30200288442117b09edfe0aa5cf6db42fd8f12d

SHA256
ab8958359f9b06c91a0bae2eacdd4b47e04ca8c55afb520bc6bd2d0c93b53398

SHA512
9cf1f6351dc9490f5fc67d23df40b2565ccc625abc7993345b28f8e3e13379de74dfbb589b60669027c1764490d94d0c7f1cfec6065883040abb2f3fa53bf73b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ea70ad57498719a362a1de4744c18753

SHA1
7cf7343e75edb0b11fd730038b03d9bc9f208ceb

SHA256
a6660b48ddc1821ea7f4af352c6921467e82224bf28e48322c907cf8120933f5

SHA512
97724916d49103518ccd796a409d24ff753b5590a963ce8cb76881d03837307f420c1a9e8cd24732f9a2330f2670f7ad051e8fbf021f12024aacc102fea36335

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d99d065774d2cda9340b6441ab2d634b

SHA1
26eed18f27606bf2d90851661d35fdf40ef504ff

SHA256
0af5abfd4b12f8e20a8ff858f8f54dcb90839e1ac5c04dce720860e451b14b1d

SHA512
73de507d251422ae263525fed8de8bbbd0dc71be00da51cffd6b8946549c56b777555913405d8851bb4630e693dfbb008e6fdc5f774a56fba88502c8cac7c71a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cf7b5abf3bf22baf1d10453a836b24e5

SHA1
83c3aa88a02047d783b0593b893b1c56f26466e3

SHA256
b703d8f99a27e70ba7088b148d7ab6e79bf78bc2fcca455cd3acaf13ef677c02

SHA512
e6ed31ee091ed957bdd0a85fb53387317a53c39b922fc32c320ff822c7bd91d8a4ef6f1c8a1a2d987196c2fc7bf2e55dfe4b6da09fc60f13a3fb808ff3a196a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
647f5b24a0d09dda9c2706adb56ccd78

SHA1
adc0f7b55e1c6d0e25f517cf17d8e3841ff33168

SHA256
11a14b976cc676c27eda3b36d03e6fcf924c05bd43d5068072196c4f1cbd25b8

SHA512
e3296295c73de65aeb94839886ab6c46891c20909bbc223a0686a90148a46bff49ce513868ce131e39103ef3dd453d36662bedb94b88c219af96288c32fdc940

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e98d4b7b32aa3391d1d8de3fca6b45c4

SHA1
2f8974c6eb397207e0e50c00d5f25c306a0acd15

SHA256
f6f6cc0fb5bf35940d2004d4230f5adac7b8882fa3348177a83a49746e2ecfe2

SHA512
b90c8b88897bd3c0472b9aba5818f34fa4eed17fa578141b09ff8da54c536cd5bcba757bdf3de42b03c96d406f7bbbf0177d39293eda3719f3907e3ac7cd1c06

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46775f48a32c08b62661db76e2326d71

SHA1
bd9ea45d4f78f1b85d43fcf9ae6e5f6b3b408d57

SHA256
95b35b783ff73224c828f19e6bc7db6c05828cb6c89bf1bc02d68f96ab23e1d4

SHA512
dae24505124be8e3895f4a0397267555361c8a6418e583c91b66cadec30578fad3640191738de2f30a72a9b4cc3d68c0608273aeed79578b0cf9990167ec06c7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d98de8b7c1a83b6b984bec4cdbc08f35

SHA1
dd0c9c65b21d7ffb43955fb4289864eb17805c35

SHA256
584f05242616fbffcf4c03e05db19b65ad8be5357d5ac748057e965d711fb6a3

SHA512
82ef323733402e88668ffddacf4b5d43e51ee7e2db038f3256206d113f285d8170ac073135365e19747e6052a18a78c4184e3945c16106cf7b0f23680bfa646f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
473f480a4e4d65b2185199419203cf65

SHA1
683c217092b19acea93d2d86c722a10673de7037

SHA256
685627f60b4304e4edb50c0272a5b1458105c3aebb33761935b275b5d01eadf8

SHA512
b79c9b8f3ba61202ffa61639c486bd256d686521e5085ef454d3b10d723bcad822060b85c753a15e67ceae2f9182b5ab5057822672587ad9e00672df7eb456d6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
memory/1572-58-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1572-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1572-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1572-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1816-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1816-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1816-91-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1816-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3108-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3108-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3108-8-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3108-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3108-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3668-362-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3668-166-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3668-178-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4116-83-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4116-74-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4116-181-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4116-76-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4212-137-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4212-346-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4212-140-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4212-352-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4212-147-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4528-375-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4528-195-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4528-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4632-70-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4632-64-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4632-84-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4632-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4632-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4708-117-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4708-129-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4708-123-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4708-127-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4708-116-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5092-105-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5092-97-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5092-98-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5092-302-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5108-408-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5108-401-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5108-610-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5204-446-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5204-376-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5204-366-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5288-381-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5288-594-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5288-395-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/5376-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5376-620-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5544-311-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5544-388-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5600-436-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5600-412-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5600-435-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5600-425-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5620-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5620-636-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5720-443-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5720-430-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5720-697-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5880-398-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5880-333-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5880-323-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5888-447-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5888-590-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5972-694-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5972-411-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5972-695-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5972-348-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5972-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5980-604-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5980-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6080-429-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/6080-363-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/6080-355-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download