fbf8bcad72e172f48ee04b2958e9149047de9694291ba3969ed3b09b26c414b9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
Size

5.5MB
MD5

0273904df8ec31f2c753902105b6ee72
SHA1

f39fa41bb5c31a56421758d67feff1d3f447e973
SHA256

fbf8bcad72e172f48ee04b2958e9149047de9694291ba3969ed3b09b26c414b9
SHA512

d35069a7da46d02ced6f2abeb853063ef6255b749ee954c30ff6013c0e854728119f9164548de55d28c5153047758f2838bc5135c7f563b004ced941f84ce3db
SSDEEP

98304:9AI5pAdVJn9tbnR1VgBVmoU7dG1yfpVBlH:9AsCh7XYBUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2024	alg.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
116	fxssvc.exe
1556	elevation_service.exe
3964	elevation_service.exe
4880	maintenanceservice.exe
3372	msdtc.exe
4548	OSE.EXE
2156	PerceptionSimulationService.exe
5212	perfhost.exe
6040	locator.exe
5300	SensorDataService.exe
5204	snmptrap.exe
5476	spectrum.exe
5908	ssh-agent.exe
5240	TieringEngineService.exe
3968	AgentService.exe
5256	vds.exe
708	vssvc.exe
5992	wbengine.exe
2112	WmiApSrv.exe
5788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a429332bb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\StartPing.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014ae44e8cb94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002736f4e9cb94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b908a7eacb94da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12668ebcb94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582742051202856"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ee5f6e6cb94da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028bc95e8cb94da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
3824	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
6620	chrome.exe
6620	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4400	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
Token: SeAuditPrivilege	116	fxssvc.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeRestorePrivilege	5240	TieringEngineService.exe
Token: SeManageVolumePrivilege	5240	TieringEngineService.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3968	AgentService.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeBackupPrivilege	708	vssvc.exe
Token: SeRestorePrivilege	708	vssvc.exe
Token: SeAuditPrivilege	708	vssvc.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeBackupPrivilege	5992	wbengine.exe
Token: SeRestorePrivilege	5992	wbengine.exe
Token: SeSecurityPrivilege	5992	wbengine.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: 33	5788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5788	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3824	4400	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe	91
PID 4400 wrote to memory of 3824	4400	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe	91
PID 4400 wrote to memory of 4408	4400	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe	93
PID 4400 wrote to memory of 4408	4400	2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe	93
PID 4408 wrote to memory of 1800	4408	chrome.exe	94
PID 4408 wrote to memory of 1800	4408	chrome.exe	94
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 4916	4408	chrome.exe	100
PID 4408 wrote to memory of 3384	4408	chrome.exe	101
PID 4408 wrote to memory of 3384	4408	chrome.exe	101
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102
PID 4408 wrote to memory of 1724	4408	chrome.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-22_0273904df8ec31f2c753902105b6ee72_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c009758,0x7ff98c009768,0x7ff98c009778
    3⤵
    PID:1800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:2
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:1
    3⤵
    PID:1284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4584 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5380
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6a67e7688,0x7ff6a67e7698,0x7ff6a67e76a8
      4⤵
      PID:5420
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5464
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6a67e7688,0x7ff6a67e7698,0x7ff6a67e76a8
        5⤵
        
        PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:5736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:8
    3⤵
    PID:5168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4836 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:1
    3⤵
    PID:6164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 --field-trial-handle=1904,i,17692775561837095927,15304592083863512302,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5956 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:7156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
a3b9fa86d5c8db9962e37adf1fe55524

SHA1
8ecf5d2d859dbc10369a18ebdcaf69b4e1dd6c01

SHA256
6e6c64561fa149aeeb002c2c1d493e01076621b4bf6c9dc066ea4a74d37de3f2

SHA512
3db9d1e407c6ca119b962d32c8f8d24983ea0387795fac093deb2cb81076dea3f01814bf6bef1ca6f7cecf9c496c98e7fcb367834154958707b90bfea78d7640

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d900f4f47d0df8bf1a09ed20fae572d8

SHA1
834878bc37c8bcd2e69978b70ea8577480f2ff05

SHA256
8c81df7635188f006de87c387a0a023a060a7157490d64b9e843bd774c054779

SHA512
c9fd70944f38072752d5c956664bb25cd5b8066c42f6b21ec4caff2fdd406909fc313fd67e5f5f32190ede607f2b2cc8ea0f77c757cb64cc7befaf07f906e109

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
da821bbd696cad902a8f5c9777cf6994

SHA1
86dfdf932cdbdf43f3165e5b0526e97f77e8bfd2

SHA256
efab19207adb4c5544491c2b5c484e2a2ce13b9e56750cee725221b8aadc0c8a

SHA512
2c07f533c9ab1ef12c6fb605f4cf300698efaa0d490fa2f282207d8674962ec8dd06569d4d74f36c71a792baee10557bb0f5cd3dc47d7accacaf303124a9b1fa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d6fdda3a24d5c703acfa9218cce2b90

SHA1
0d7adba04aed2978ebfe70322bab372bf3cf2661

SHA256
2bb9d09d9030444a42d41c1a11fca94e8dec4b498d03f64d1390767302e97e3a

SHA512
8a370028e197db7e0adbdbcfe4a736122a0ac1a21bb1a29ce6b2b344a528412a983431efcf8b63d17fe50595198b541ce30953595347b70d71363e160510190e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
83f4ddf52978a3af545c11b483e80e99

SHA1
67a043ea516f0dadaadc5f7c928634d832fe5e1c

SHA256
c2f54b6004b9a141a05260be52d97dd3deadee419db3a6217010042583012749

SHA512
74163907f9f2a84c8f37c25c8c470f6283672a06c23d59b8a4da5554d6818843f36af26657305d828b94d40ace45d72c3d5b97347dfc2199e076ec063d47976c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
78d928a2354b4dae055fe780097c7c53

SHA1
1130d68339023bd53ca0ac6e6acb19dd2d04d67d

SHA256
89f49c34b054e42a6cb895c37ab2164e3143ef8a2b7c7000665f12f982e55e15

SHA512
e6cc6e79f8956c18cc5a2435e6c56328a614c7366923cb25b41fe46f8146ad1906cc9d799123428bfbd800a91698d933be43380e997735ad01f27b38526c0063

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
de4b58b886f8b4eb8ac1452b9b271f9e

SHA1
75037a6864a59f496da8ff8ee69627e44f21363a

SHA256
48bce60ee5f28e964b1f0323ba6c13d00b54087255cb076c09067ecfceef1b20

SHA512
707e11c1ae39296247a98d4932d89f9752a72fe645896a67404fbf3980f6856f3b87ae44ac5ff27b18417887e57fe5740df2d700150d9f83e30717baf0111ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
27ea408204b09721506663b1900f9721

SHA1
05ef26f80a42daf723a285004386f76e4f891e7b

SHA256
d408d35d312dc745cdc7a3c7ff83943a3cee4a0055fdb69e67e5d35c97b173d7

SHA512
b9a1f3333a64ee9295570ef7aa4df2dfd78de237811abcf176d02a3cae5344a6c3b134ed9664e7b63d1fe6d0a522157d4e1b7822759fb6fec0e0de6f7ce9b060

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
cc70cd4e49e883d57e6f567c780572bb

SHA1
a80e1c6252f66d65041350be069051709b1b77c4

SHA256
80bbf51f72e0b98711ea7fd594ad747e2875875ca81c1e576f1b7c786620fb9e

SHA512
a7e1b19098a2ea203aeb0a5db0c2d5840e208e1fc0be6a935d1581a0cf93e79dcd99659fb32c6a1d652e84fb3533596e4a1e8bdd15a0979e6298985e100895d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
138030a3f3fa70697c10254b7f66c7d9

SHA1
c1e49789b9deb719fe1636f45f580d4eacc7071b

SHA256
6f9c24a80bb7ae84d305a62c6c8ce634948868ec6d77078278912ceda0b0d4c0

SHA512
ec9ed08e480ad663f32820da72855ec196b754d03eb95de863950f9dbff6d5a0bf40370b9e096cc4afe66aa6e9eb282ee410adef196d1433ff0f65c60e9bcae5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
095af49a5c4c5d9adcef1ec4e5bc1d9c

SHA1
a88819e9aaca3ccbc06697e91a8a4975890f3901

SHA256
6cc1c15d11ab0fe7ec419eb6e6646cb872f5ea52c9505a43f44b0f56f8e988ef

SHA512
92bcc5c38ecbe1e70d5554b7989d44228136bbcf9bca7a47651aafdedd1b6f4215be0a9cebbd0ef6f572115915f07252d89437f1f53f253d0ae335fc79981df9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
46ae00fe3476b8dd3dbf5f91f5ffa62c

SHA1
263d5738aac9e5ee9f5bb881c9b72f85f384f3a9

SHA256
de2f916a0c90b3424c38bef33e062dab2fdcc5130fd2c8989b9c04c74a2f88b8

SHA512
5335ef1f5ae8668184006011bf4f7402f5d0e3fb3bc6b1e051cc534413500346ce82220ccbd7385a6c39918f80251913b031b50f5926d0bda4a9fc12ce91cd2f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\46025855-85aa-4c3a-99c4-7a9daef8eb37.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
30822ed4bf5cffd53a6ebb24ccf95ef9

SHA1
ba748b5bd926ad99e4e427657cde5034210d403c

SHA256
778d5ada3ae2a8a4c483ede293914d02e1dd69032fd475e35cd1cd6cdadf71a9

SHA512
3d3eae582352f3405ea4ad845524dbf680dc7d4cec754581b1cb869cbde8c90c09d7471b21e4950ad3c2d8c747ad3c48df5e09bf8eed3ef5595a316db4d4d538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0454158e62377121e7e56fbdd4ac57f3

SHA1
ecb27e21f23ff8e7b5a776daa4c359c7f7f02c4f

SHA256
4fd62713ef9e12a971450781ef546babd0e69c63a262b50fb8f1789adeda5cbf

SHA512
b2acee49e1d827209d2fe09c15706648809432ea186321baa6670ab2f6bfb1855a9b9dc675c119ffe37edec0ab1ea86e97e50d7a93917724c856c9ce35b05827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
939dabe712a3ebf20d9074efdefe1790

SHA1
b997c901e452bbabb258fa270a3710403f0c0d79

SHA256
ab1ec5412c317552749f5e693ca45a7047727ce5b123af61881ce651265c9bd0

SHA512
d650d0bc87e068136d1081558741fe870d0c462237a8fc3ea840ec29543f02d9c2ff02275e9202cc8dd047d187cf3d46ec0f00ba211a5aae9acaa49edc9c6bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
adb52a5f861da09f8e324ae015e691c7

SHA1
1d85a95d2e2184c2f8b518316ccc028c57a9b721

SHA256
4d6c3da52b226b33b3f3898457d9ccd084dd5ae181e522e8235a9c98b45e20e8

SHA512
32e12fca83c382c62df14081abb63a14714f9d6924b4b707db27cb4ff758cf037c3944676ef21dabf483a2e7e6f75f4d643ff87484e9fa7d990a8279fe17f2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b6bab6b214eff6e3710c0445081c17b1

SHA1
7c6cf2acf4393288d9b601eb354c9f3865903131

SHA256
835993d67edb8ef41577b036b0f5d98723d1208303126321a8bb94953fc72e00

SHA512
563a9bc46258d6bc40ea0c9e5416e22f6e5caeb9331a002ded332e5806c3d6b3b4fe64f5201b3b7a6748c3743ddfe0102315d6f7f12a5719c0a57c91d85d0745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0a75a94f1adbc78a35fb4f896752f403

SHA1
d944e612969a2c9b4db4b8ea5fcb919c0117f629

SHA256
350bb5cb32ad34eaeca1d96e3bbebcbab790bf9011f0437297f5c3ecfa09708b

SHA512
7a9a4f3b8e2828d99587b624d9962bad919c1358809c7010843c11dd06a7ed1d7906b61a7152e115f59c19ffd56a4308a317edcce6c02f1569beab6d8943b1f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b837ee5611a8bb48ce1d801020127585

SHA1
c3b8ea76e5c7e04676fb6b656c12ca1401690249

SHA256
12dd3e05d3a56b27b0c311bff2fe9d00083ea55ed09ad2ddbb446970d914e968

SHA512
9198938a5e550aeca90fa87eccb5e911f605f4de6fd0f1a4979533a1d7d14d79d1824c09942b0d9123829ab2d9c4caf53275e5260b3a35fccf5698779bcf3b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a6afb147171fb283663c0bbd977f2029

SHA1
60b3e556b951042edf399466bf6010cd822ae384

SHA256
c4409ee6583c98cd4df9b4427374a4b539413596c99746daf4de54f85d87e63c

SHA512
260505bebf94ef09f51d8f1e334565de9bd54414814b52ce1bccf1767cce583e39949a335611db95bad2c270484dc00887d6970f4ade12a5510c60f21c608282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57d5af.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
2bb4f34f12170c0019b84ff1a7f1ec0e

SHA1
5bee370719d1fe8f1ea797ad2aa2e3cadc3d0f72

SHA256
6b532ad0ca02dffbe74c9d5ff8ada250b864584327446c4d11266d3f7a444b3f

SHA512
0ab6235db526890d2a68ae0b5b48f6e5104a4b006f1d6c1fe667b364a2f93f27fd68729b6682a8c288a5651756c4fa3fe689087060c62c3c13483c17172c323f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
e29859075398560a6a253c0372e08149

SHA1
bd2c3f71e463c4b72cd17b6ed9d58bd215151a75

SHA256
8bc3f0559247c01377fdb11f53cd6f7df76c48f48a7eb6196c3ee1413865117e

SHA512
537769752d02afdf3785b84b9548cc83698c0de45ec3338d0253d82707abe013c692c09bb9d6bfb018825a50c3c520964cfdd8e467426e85fd781ac5febe1e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
264KB

MD5
5627873b0127940c7164ff82ff71ade9

SHA1
30c33022855ed0ae5ca5ecc6e934a72e63bb32fe

SHA256
66d681cabb83f528d0d7766a72f93472d213155fee19162300197c6e9af66ce3

SHA512
180c95ad5a290c3c18b941a7b8146190f1d9bd451e809a806e6104bdb4b9d53e12493751e5f60af5d25a9b384ab478a5dab05330dc4b01b79a67a5174c04fe16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
d91448e928b3a49c7c68b79a5dcafbf2

SHA1
4bbf1e5b3bf4fd80fe9fdae64881e2ff9f11f97b

SHA256
a1c99e431c14d464b9d83233cd6cf2277526bff6b32de75523d29a9bb2981355

SHA512
4e521f748d38e5fd6ca5b0185170e631aea83d77ccda329465b121edc88a4b469285bf775931b65cbfbb981136681581fe1dfc8ada853f57fcaae3ca6cb97021

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
f5cfa8e3a3183f2af657bfb5fbbf55aa

SHA1
ba0842a4ed38c71d29d7bbe7465bd07076eeb403

SHA256
7e49f3b072ec645db80dff946f1cdc1b1ca562b520ee8573fca9abce74759d64

SHA512
6d6a23762304e660bd5083b1cd3e93b7e054eb9f5b5ad93014a7dfd0de972c2fa1aca20787db8aca02cfdf6696d027503e997d51787cff74e46206220de66eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4408_430594057\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4408_430594057\dd30f85b-3312-4a01-93b1-14980f9b034a.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\a429332bb3e2edcd.bin

Filesize
12KB

MD5
ed8cb2c35696b7136b1087277d06fd94

SHA1
8d76df15da0ad1e769e8bd695b1465bcf5af38fe

SHA256
8c81664a426800b86fc5452ca908bed1e1eb4b67391da848c9a7929fac4d652a

SHA512
c23cf8cec5eed4dddb8c8ab9c05e61cb7ba365ccf05e0798ffb2b3f23005472c69b32797f83b670f1da8d1759ac07a836fc262e25337091234a2289037a06616

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
96f1f0b350054fb265eab2748c4bd89e

SHA1
152c2a8d945e299aebac494af0bb79c9a5830819

SHA256
87827828fcdee1bdefc0d3dc55d80b5f6b12a0fbb387d65a3079645214e4d9c7

SHA512
604eec01635b2b9157f26357afc7cab70d28b5e04ed3f4a981257e27f0b9255142185edbf13e3d81d3962f06f3540776cbcce93c6a91b284cb4bb6dd054dafac

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f30408ad67d2d2e65d2d05b898073c31

SHA1
93bd31b2e1ffaddaa5898332a94f9c8c7574c100

SHA256
c9772f129bf8bbab3a496a3d712e588df34d0f4f0e151aa13929de473431ea80

SHA512
7f22cb1288992296ab77b6102c80b17352930016e3378153b56aa65e59834fcece61c9e557da54f00dbf0f716eeed65daf061c350168847af5dd166e7320bf44

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ace97e940992872abc7279089185708b

SHA1
ea12f4d03276f89e1953287b24b45bb3c5ecbe59

SHA256
fcade5f17039c240d900f201e33467f5d638410f965ccc33b1e860ca2c784bbe

SHA512
462b56d54b08caca60a80771e0562f5838d895e310839d6d37f7bb5fc54377f90edc816a17cf5ed3395e6c26f262a53ae3ea73351bb1e9b65ee3bb69534889b8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e864ae680b2c6e75c436f0ea9c1975b5

SHA1
2ecc5a1d8d2053c9229df8c8bb0b38ff1c56daa7

SHA256
e8bf2941d6660f38eafa0e78919029f46342897aa9a0f382ea2b2a1de4405ab7

SHA512
18eedcd658d54691afb98094331f32ea9af93f91dd0083363767c6b2e2735e67d0b722d2968eb1c225d252709a2cf93624068480feba2348eebf39c40d98ec76

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b065ddd245dd946a58fa3fe6af64b4b9

SHA1
ae2891f7c7ec2d007ef338394bb0e0dbf472085e

SHA256
4004a47e7809510b87d0a268f102428d2006596ed3c3cd735c620eb76967df39

SHA512
f8ca83b3fb65aa0d041031f814354a18cdc783a562eccc90a95e6471694c2ed62092d93ea0cdda2f3577f7f479fdd76d281b846599202bc1d80840441af8e976

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b1723d7889be6fa02855d4e15cb3215a

SHA1
f3dd25ea8c9f331bf756cf566ddc617db2169f69

SHA256
29fb533dc74a3769eee55973b9cc9023c1294818f907b5d4c8039c871832a6b6

SHA512
bb7f799633b88820eb89f5d556e72901e9a1f9a4ed31f4cdeeeb0f9b784589448cc663b06454024d82fae99b4b865611b83cd568c2e4e3a0cdb2c194ac521c15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a8315dde533bf4c32c7bc9cbe3fbcef8

SHA1
3627b216cbae937f626af4200aeb27c4f553e03b

SHA256
9083cc057057dd304f7a3da7d383cb66d88f4bc680cd4b93000678f7b4caa0ce

SHA512
4df5d1ca928582de5985eeb4d3b09486bb88475418b8c039f529bae652d3f22baa5bcdd95a72b0b71a810dff62468bf7fcd0a25de6ea917fbc0d1fe3471a8ddd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e3c052de5cb7e18d48c1bf3362fab018

SHA1
511c62ce27162d0394a9b6e26862ff09c87967b9

SHA256
bf4cdfaec93c61f64ee460712b7817343c0c04e26d37d0e1c3a301e5f9b6c731

SHA512
6b45538b2dc8329975736ff516aba724e78eb273181fe88bbf26a0de306e23673442f774a27956622f1c4f0f835235f375d127124d98c158790d40140208a276

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3999f408d45618f12117a1ee3b68d317

SHA1
b2774eadc4d591d1e1f7607626bbf52b23928e86

SHA256
bc647a71c9aa376e7a4f13cff0706efd4ed4036adbde25599c58cce2f52994fd

SHA512
50916aaaa7038eac0cf2c4d4d85969d3f3e6bb5cafe0e800f5e75d7f6e25a103cdb042555968e276aefbdd1ff883ce8faa62bdb826e9c19488e2675c0d61b0c8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cad1618dece226fbaf7c2bee00a481a3

SHA1
51ef2dac112d59fcc9fbb501de08f1157098e0d3

SHA256
d7f0dd4760c3ea8f0886e720e0aa494906f8232c62c8883217650a254cc7ee97

SHA512
8e76686da6a5c1db02556ac7ff064ef2198877938c0490a67dbcf9b26508859cbf11e401a1d5df4f9335ae2a2608de2c76aead1d2ccbbab795e5b768c06b1ebf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e946cba17395cb481f5e09faeb4bce99

SHA1
690f24a6bceaf9e809ae1a00b745a2f2dea1017b

SHA256
2c6e1ffc66ba8e4e935d2140cc1dc2f2390cc08d7ef936e75c04882967fca68d

SHA512
2f97b8a61570e977a2d03d40e6198cfc20136bacae3092f908e957f009724511fc030ad4477e1701e8a97ba7df35f7393d13f1b63ecb656889b9808f76d8c113

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77c8d5c41d72d3f704e99264b7926956

SHA1
e3a65c133980bf8d53854d3aba5d4e8b1d730e75

SHA256
553711770c3e3a69696d6bcf77296c3fc94ef89eb50e8b2ed9d6ea23118eb935

SHA512
f5d2752cd515cfb0c253fb4eea66c1f09826f87c07e4b94469b3b15884817565c9695b55e8f930e6e23c013c74849a0fb2d631ef65abcfb1a7e9d1b111ea800c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8d91287312fdb3e8113e48934ea76473

SHA1
efdfb27a776a8620a25eb3c0f7b482d111d13a27

SHA256
b5362da47d06d49b9fc0008b12e70cc5650cf9a4987a995dd756554ad3cf2705

SHA512
eed4777c5e404ec3bfb39c64d7bd33b2c086a37c7e5b74bdfe22af4080948b6634d3713fc8b17c6993fec6439b074f8f2192c061824f7538000c8e774086386f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6e27cb8277f45f78403383914230319e

SHA1
f62f75b4dc0e4cc7239cd99f061a66cae53c051b

SHA256
0d003ee12791278046d20946c13bf52d9406d90bc0192a1515551e175778f248

SHA512
c8b1d9ad05cba0753e53bb8892ac7ff6caab7811fe9f613b22b0e982dda88edd95f0f5cae650cfb9d1d6c1a9483017ccf5db76c58d61cdb353ffac0bbc2cfe68

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
bc7d4123ee50d3d45b8d27a12c2719a7

SHA1
0ea8478b95d41aeeae48b77446ae3a45be77d03c

SHA256
4fe3d252dde600aaeb1539e602dc2524392fdd0385f4a83e9b575c0e14bff282

SHA512
00bd55666f4f11927f002a8b5f9925d2c7dcfdd52ce1b533d1664a60d784f0c74378c5158f5920b64d26f787f7f3a9c9841c1acef7a91dee94c8a8d3a80c2aa1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
238c9958c2cb008033bbd45321362767

SHA1
3bd2d5779998c23bd506a731f639cee6d0c817bf

SHA256
6626fffe3fae9b47485cecc7a54dbec01c9e47c170b195d2a25fef110cfc7ffe

SHA512
44ab98d2306693f74143b1870d1d2a8b9814489690641388b03b9caefe0534b8285ac9fb29094898ac57c2087b931f8e1327e1ab84b5e41c0b733e09415ac68c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
264d6536699e0585024497fb6e13e1ab

SHA1
5f5ccc7117a25931eb1cc0ca5e262ada71951c30

SHA256
7d08fb774330f38203ee8ebf3a682a2ed72c48855b2689f039a931bc8be25b4e

SHA512
829fed00ff6df36c69963a08ed93d83a28eefc46c77f4a181a29e992b50746f25848b65756060b03505a58a8202b235d8b7f5d27892d8470904e7bd1c2df2d6d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
392dbdaa35235923057c6d7dc63ce82a

SHA1
5f4419dc99f525499496fb717a6101792bfb35f9

SHA256
bef4446d42a7d96e567d1a621af97e7cd2c9a88262c5bc391b63d92a63936ccf

SHA512
6f06f7f5650f0c5729c9c9b48b1dadb4ba8bf2681804e211f9824fe3f5d38f9c07d2198ab34eb0801e179fbabbfba2cc0af795a9f447bd0fa53905cee1ca5412

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d2182136f8c8b1ef0c5b6fabec988e33

SHA1
c7acb6e65ed6765cc2dd5bffcbf070d0d633bf04

SHA256
94b90077b177f5141256f2230475fa8f4e89919111b61e70bdcec533529f821e

SHA512
204ca6d0b85217a54f2008cda5def7400586ef097049d311b37c62795006b5129a8123a95b20ebda76bd84294dd8b9fd67a1f7b7ac24300da24ac28d677291be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
56adc905b31f452e75eaeaa1d01272af

SHA1
98d1c2182a6c5a0f128fc172addf081fccb03d16

SHA256
e9dbfd06574f1f3369ed477b40749c379044bccc18f4c647aee2e841073ff20e

SHA512
4d5c59302973bf0a8774f4256c181bb6c09926aaebae068a071748186aedf5cc03d27641a64a17977343269268a595eb0debe62e65d04967897da820aaa994a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
196b1c37f2e88a7cc1624b6771d5e46a

SHA1
1af941d560f3d3ef0f63adb7334220eb5015f147

SHA256
269f7b0e0bcc1f4a9e6b34dbb5051dbac4e6bf1e807daf000c49a8bd90536fc6

SHA512
f0f46810d0acb6d4a65f636d54255f3b1add7d527cabf6e75a5060473124af9dab7320563c6ee053104e0aa5a39bb8afd2abee5bab3b0993706d57154a72ddab

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
c8e3350cb24b2dcc5a5af6a71733d7dd

SHA1
82c7fe2f8cf1c372e1855c6de8f1781a5baef1f2

SHA256
a80628956923a61a84505b049242087f968db1b6a273fd3f03d672392025df47

SHA512
daa0208d0ef4a5cc295558e8713345aba7f9b9fa998e21185a55b280e350397b708cf4e0f9d004481f89c58adcfa2b44d0be1930db91ba8bc0c64b38a6c0a42c

Download Submit
memory/116-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/116-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/116-64-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/116-66-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/116-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/708-603-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/708-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-98-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1556-72-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1556-71-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1556-91-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1556-78-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2024-37-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2024-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2024-119-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2024-23-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2156-173-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2156-389-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2156-188-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3372-358-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3372-149-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3372-145-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3372-369-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3824-18-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3824-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3824-11-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3824-83-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3964-103-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3964-102-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3964-110-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3964-204-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3968-577-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3968-576-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-571-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3968-563-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-24-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4400-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4400-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4400-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4400-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4548-158-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4548-376-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4548-165-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4880-136-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4880-121-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4880-130-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4880-118-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4880-137-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/5108-142-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5108-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5108-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5108-44-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5204-579-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5204-378-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5204-384-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5212-276-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/5212-533-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/5212-205-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5212-407-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5240-627-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5240-545-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5240-553-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/5256-581-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5256-588-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5300-361-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5300-370-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5300-561-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5476-592-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5476-396-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5476-602-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5476-391-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5908-608-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5908-535-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5908-408-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5992-618-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5992-611-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6040-338-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/6040-543-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/6040-320-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/6040-551-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download