54f6f5b199c8c2abdd99f66f8fb5940ff9802e797a145d183d6e9eca4c5186ca

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 13:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
Size

5.5MB
MD5

10084fc1d1ba34e6d37c15ffed67ea8c
SHA1

e119ad998bb697376cb1d0fa1a8d773f355438fb
SHA256

54f6f5b199c8c2abdd99f66f8fb5940ff9802e797a145d183d6e9eca4c5186ca
SHA512

f938e468d017d6b9295de0cc3f3daca131621efba2feb2f26bc5773b901a445b7ec282c25275699a022cc83d800307022f7d2302e8a8f9f3e9498e5e69943b17
SSDEEP

49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf8:zAI5pAdVJn9tbnR1VgBVmKqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
5036	alg.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2352	fxssvc.exe
2412	elevation_service.exe
5096	elevation_service.exe
4384	maintenanceservice.exe
1176	msdtc.exe
988	OSE.EXE
556	PerceptionSimulationService.exe
3304	perfhost.exe
2800	locator.exe
3908	SensorDataService.exe
5172	snmptrap.exe
5340	ssh-agent.exe
5864	vds.exe
6020	wbengine.exe
5164	WmiApSrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\865776ddb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d7a287182abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005ecab7682abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085f1c47282abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0da0e7382abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7ca177182abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e44c627382abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64d9d7182abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c49c327382abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
3408	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
6512	chrome.exe
6512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5020	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
Token: SeAuditPrivilege	2352	fxssvc.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeRestorePrivilege	5496	TieringEngineService.exe
Token: SeManageVolumePrivilege	5496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5656	AgentService.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeBackupPrivilege	5980	vssvc.exe
Token: SeRestorePrivilege	5980	vssvc.exe
Token: SeAuditPrivilege	5980	vssvc.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeBackupPrivilege	6020	wbengine.exe
Token: SeRestorePrivilege	6020	wbengine.exe
Token: SeSecurityPrivilege	6020	wbengine.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: 33	5700	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5700	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3408	5020	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe	90
PID 5020 wrote to memory of 3408	5020	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe	90
PID 5020 wrote to memory of 3704	5020	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe	92
PID 5020 wrote to memory of 3704	5020	2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe	92
PID 3704 wrote to memory of 3964	3704	chrome.exe	93
PID 3704 wrote to memory of 3964	3704	chrome.exe	93
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 4272	3704	chrome.exe	105
PID 3704 wrote to memory of 2636	3704	chrome.exe	106
PID 3704 wrote to memory of 2636	3704	chrome.exe	106
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107
PID 3704 wrote to memory of 4992	3704	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-21_10084fc1d1ba34e6d37c15ffed67ea8c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd77c9758,0x7fffd77c9768,0x7fffd77c9778
    3⤵
    PID:3964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:2
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:1
    3⤵
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:1
    3⤵
    PID:3292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:4516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4656 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5560
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6ce247688,0x7ff6ce247698,0x7ff6ce2476a8
      4⤵
      PID:5772
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5952
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ce247688,0x7ff6ce247698,0x7ff6ce2476a8
        5⤵
        
        PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5572 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:8
    3⤵
    PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3752 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:1
    3⤵
    PID:6700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1860,i,16080431152474399098,15675321865570148870,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5036

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:988

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:5248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5676
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
b7daecbd1b850a2b9ed0d87b44a04b4b

SHA1
256722fdcacbf267bad549d62a47e8c6722bb4c5

SHA256
1357d556004ec36655c67a1577b1b2fb23e0082dfebf9251014c6809498d9bac

SHA512
0f680b2fa9d428908703abc77fd5b822e4ecf560df26c98c72b65bca3055c86d84211d56425a8864eca54172693ea92edb853b60f2a19d04d55d943dc57aa416

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9f32ea5e158d8dac235e052ffaff7922

SHA1
ea4afeea1c72f5f8f720cd0c85b037b071c0dcf7

SHA256
a5a810267770e9419c118e54560cd69e3f8377d711532ca99348b1d6c35fa157

SHA512
6b6cd925fef05bc1ddfcfa4c16c350c9419d3db2f3f3964ac55e37087a6369f372ed8e92d0933212e8c79feb2c3841b8f79b5b4764bee1e40c370bd6ed1c7a7e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2e29ade6a54a5d061c97e3c9a1668243

SHA1
0ce301342195a4ab509401c4a9e3041983dde8d2

SHA256
144f492382938a524d3e727ca614b7f3c3a5c43f6b3b8cd06766e7aeb1ee27ae

SHA512
0a5cd5de975f380df5753a793e3726afe82bbf5e613edacc16b925456cca390b5e1fa45752eb872c3891fb6dfa6b55901630095ba3ee03fb4d3df0fca60c1ba5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bfa6e56c7c2a3ca6ea21ed49523cb513

SHA1
8fa6fc7d57c21848db88f9da86a29bd237b19a2f

SHA256
9c76402be1986115fe870ed86d4d26939e3466050f1698946ca1149d3604b5b5

SHA512
ddf6b9555a329b6457d606c79d41d9c1429a5626854f3c4f7f5abea680d87a4017213150243463058a6efdbdb7be44ac66938830b2f93b5ff37e7030ebe22209

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c1db61182b757e4709eca7d18de57521

SHA1
ace21379e68a77bf412ea158d579bf1ea9339226

SHA256
1009588d7d0df9d24076fe8b8e08f0ced265ea00186e9d0c719f77f74aee615b

SHA512
967101eb9bb7e96e0286f2ab42c57f5bc58dcbc9d618452ec8941904b9d6c7b46dfb2f6fe870a109524429ab0685f932eb5c8c7a4c819dcc8251b9c8bee27efa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
40cc251a5c1114da72de1e78c48d01d3

SHA1
601e32d291eb9293390cea9d59f544542bfd8fa7

SHA256
cd1ab2f3a6875408aefcf41b6c31c6687525875014acee617302737ba29ce8e8

SHA512
04b70da29a979f0c2b2bc40db1f231abe0851b91786914cfcc75cc7719c9a8ef3b78122efc63d842a71e44b489ee831680b11379f0da32495433f51aa3010919

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7f1e66376227835584b4617c5be4bb05

SHA1
b69faab03bd975ef343fef809cfc392e3ca269b9

SHA256
3edbb437aa9929c19ae35921884e7afdc41ec65ff1c63d34e9a83c7ab90e4f59

SHA512
0f1cb03009282da83ba56ae8d34e66af69093ba83816415a530c02767c1c15e0ceb173ad1fa4f97c0e821e223ce4de40c729fa70c50c8fb9c0a8f019ac8c6e94

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b03f3a1f6042dfae2405da166b5613a3

SHA1
50107069bbf0fc2b4f912bab28fd8315a3a5861a

SHA256
2d87c81a3a92afcd5f8d9be17f257d2add2983d3486834c6c9d461bed2e88c78

SHA512
11bc649c338d7a07d613ef50bcd751f5234e7da3185ee674b0a2cd44d3932334a7eb310e95bfcbec26b51da00b3ff4598858025b52a4133079b0c83fd46810b0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bbf1dfd5ced033f5a71ccc6157cefc1a

SHA1
1fc0055eb8c3e67c352a9e82981787c218c9f3b3

SHA256
b3b636c0a3b65ceba386cc19583c5331a1daaee99f88f4c2b0fce57698db3bfb

SHA512
3e0a66aa52a320e5a198484fc46e553897951dbccd239047b41e0e3e787edb9de7ae73f93930145986fb876f65fe150a93185825bb9326151e1c6a7d4546d73d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
bfe0b0c8ab324b6819ff1af317f3aa3c

SHA1
e8921d5152821dcdca0a23b362f12e886612dd05

SHA256
63589ddb376c20b3864c56746a799208e081a12606c564ba517af9053688f921

SHA512
b844df4aa96d0b1a9ac2a714e2fe3419e076897ac28c86d9ee2f0093aadd193105e71114c1320dd502d57969eda5ae032baf899a6dcb7a5faf02526d345fb956

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cddd36339231e77c5cc08c6ae9872f9d

SHA1
47d16c8ceacb3260b529e3c304f12ff40e7e82fb

SHA256
6e6a26504cc343cfbf6d85b4479930b7daf1e340690894415872960a7be1c673

SHA512
b5b1eecbe09588593b21df01f20b3ab6c5739f2d1720df02bd0c62a46e9641f365904955948ab1d3828646bd7768af35c56937292401fde2bd32b5b62cf7c4cc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240521132542.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5584820ae2c98c9e2ce01164366a1ee1

SHA1
120b68f616f0ac5eaaf21d026a9754093a2fbc54

SHA256
495405a4010f08957c156ab51c8f71bb6fa41c343dbc3216af94d44f21385b2d

SHA512
3fbb811fc7ee75710c7af7e51575ebc1dcb58c83283860f6348acf5072d94d84a9a75cdc1f921b1468e55fd0afaedfb5b4483a78f9cc0975cf0f730a394e984b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
33239cc8c89e697ea593a4db7dd1ab99

SHA1
3e558eacc1c66b632796c6184147afeca194a0c7

SHA256
596614846d20b6d7c9f31f640165da0b5a435bb9a69b4b2076b49cb470c591af

SHA512
023d5ed725e86e1adebe8b5186b1b6101a677c0b68c5b30c9ca31c6ee13a39c12373b13863ea1617f0d4f7d00f091ef1da81ad7be4cbce924de6089aed477506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
333a442e235ec6cd1b7bf558c1639793

SHA1
e9ec76f4cddfbcc4d2dd0b54e3f919c739ecbe15

SHA256
2e93f469c077e2b33c102f3f3c99be11d3d7ea2a27f92da144c1dad52dc0f8f9

SHA512
62b8bd4867338d97105db5d4a3082edc6d4e17c74536caafc70b57beb658ea9b26dfbf750358ee721ea97299565ec51a2335c660cb07c11c44778ab68a0c13dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
40f7dd0ec466aeef58b1b69878a98878

SHA1
b07161328ffadadf4f70c5a74441e5e5c3a6d7f9

SHA256
5eaa225272335b016a13ffa03fa85499d8df8a8a4d406d67bf3235e33a61067a

SHA512
3f8853dbbca5939af951a7c18c8e85458591b53dc6dc6a2dd924695a3eba98a13c5117278c960f045f220847e1d0cfb8f49846e6fbbfb396428e6b701cc6d314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
64431b7f92174a52ec293b8656c52412

SHA1
9c59f15c440763ce9ae0f750c62d810429a34f41

SHA256
cc792eb7d81103c8f6ca2ee24d4d0bf3e53397b8afa1f3842f3a33909250dc37

SHA512
e66fa2630b237acf32d18e5f2ee68af8dae5c181fe7b94d56b2f69e940f71ba8c48b6513bad98eb78a701d099f90ffd996a2d7eafd489749a4024f1496f6b3ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3abb25b462b501f164ed2675f926eddc

SHA1
73ef9e662c34a7c7518e6128ef3b2c88a4b2545f

SHA256
0a7faef237c37fb458a75b89ccaebded29adc6509c532caccdf5b3291b51c7aa

SHA512
2b9f51c670de55c975644280a9b232ca2e1b77662d7f41402e34fcd5dc4bcd7a03fea333118753cbece7582f675e89c4dff2863e9597b0cd1c428f29833de165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b28d0d59227ce48ba06ea76277a452d7

SHA1
54b23042ce435529fb3b4e7d078c259eeb841bdb

SHA256
1daceed6abe77030d24a39221ebcb1a757c544bbcf1d8e2c5422f71f1c633c74

SHA512
c9868f1dd8d0d9dce43a8bab4ec37755b4dafc177f692202c7eecaec6701e3553fea0a26978bab507e421071b1b061c6565250912ffbc8a9bc7e6fa74c237007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f208938fcf5ee3dfa5e94d2a73319d11

SHA1
696d5e457e3b681769ee1079cc0117136c2d1586

SHA256
0ed19c92dbbd6dda8e49bf1ee70b92f6c54dd7f4eff95b93b7c22f5019df6f28

SHA512
e439ffc7527aa11b73b8e11338335927ca2a1a8ca342db675b6e7d543e0ef2f5bee3e4605a779c006d646bd826965f222358460c523ed8bd4294ce38ce12269d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8ec1d13d286582d9651bf1854476811a

SHA1
30493fa1b845224830b39adfd5addf170daace41

SHA256
229159cbfd4b753b9b124d69f1e438bac8f876cad6b29b8ef0ca24976ec232af

SHA512
75a0bc27cdce3647257c1aee00618587fb3b1e824efd04a0437e18968bd32fff5d5dcd2dd0a4541d830fca6bf19ffa9a124fbf191839fcc8e767a39f0966b29b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
59d4e5f9bbf431375c6d8d8fab41ddce

SHA1
80634b0179954a678aee5f1206e3d2d5b8fa8a79

SHA256
7e5a7fce271ec2534abad6c3db5e94b8279d86c86232295bcd1f512129168201

SHA512
1166d4e802f642bff82ed01b29d5da077184f7a57f0e3445bf5a80d57aec475d0ac3db63257c025b2a855a701c9b310364dcf24a3499a60cc8cb54ca7828b289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
72da67e85f117c907a933e5d2a505648

SHA1
9d293749208d70bacbbca16179194df239b3d9a5

SHA256
86d3b9a388c561033ce617f8e4753db667d7445f7ea082ec64500bd3504f79f2

SHA512
53a6b8a5c1dbe42fe8e6252f09cf2f17f3793b1f7599175075b664eb5a44e7d4b0b1207517fcb1b6a43cd1553f3a8a2f5717aadf9a6c3b4b591ae8d27b551f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
9d4feff54650d1ed2a620ce890bd2464

SHA1
02c42df5bf4e3d9b4359580dd824285de9dede8f

SHA256
a35353c43d3e48de740a8a3532c2793f8d76c38cb4002a6af33c701a62be99f2

SHA512
0688dbea4e807b2a8de60d467531965e73b91d85999623b138111af04d316f8bcd47601dab1b78cc7d6d2a00d759e8664cb8ef89ecf780df849320270f58b873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a9621030e5340380be799cfe62554ce9

SHA1
bc67e3dc38fed67b258ebcf56257d6c9d16c3897

SHA256
48282d8adb92de4462181d222c1766b00b16ca2413fc13fdecdef8e7dd0b7af6

SHA512
d8c1928da8d129ebe222cc9fc7bfcdf4425c1206e8ab2c4e9f7fa280591afd45800d74e6d0d3fafd3aed1273b33e58bfbaee30f7a9a63b01b8176e069c8181f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
46c4c805da4a921e7aab74bfc797300e

SHA1
438d692109271182e9321020ba0e536bed304d50

SHA256
9449e38107ce1bf06953eee2b9be52e49b7cbb40b12b8a9ad781ae1b2ceb60fd

SHA512
5fb6989866497fdae5e2595d09ab20bc00326b155832137ee904e6267e9b0dce609c491e5c6582aad83b8605cf69a583a796437b5b0ff59ddb4ef4617d357312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e6766414b282a32a8c5d6ae4a4ebf2db

SHA1
2ae21994af26c6ea10117b4006d2d681dd9da51d

SHA256
738648e9311e773e723a75d187f5873983a4fc93ef4e85deec1818a068ecb0e0

SHA512
dcace0ffc8aa62518494c193d624cd7bce67e704c0469ce36f3c857df598e99287098bf2ce8f48a9bce8adf708675ff7139bd7cd09c5ba44a9a71bc76d69bb0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
90bdfeb4a13be429ce463a66eab3cbdc

SHA1
93f7df19e8219e60975e3c5650e6e5a4ee30b153

SHA256
082839f9eb53294959a236d9d7fcf4db65f3e29faeee2940b9646f4f7eddb230

SHA512
5b0d595dc7e9c0265c2305a0aec3c595d959801fe79a142a0478ea69987990eca5a9850a9e04e3996a7d4289062630c119cab938650b2ec19fd3442e159dfdcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58464b.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
cb18bac36723d8b726ad32418fb6d2ce

SHA1
66dbf5cd7ed792e1d577d0bbc63b5ed19ffa0a74

SHA256
aecf381d83705201f294eef0468a0e370e2a2f578bfb487fe57bc8c46cd0122e

SHA512
702efc9f3340027a40625b8be883235f16ce6f3dbbdb5b3079583f573dcd7cd54a66470b7d2e6c370fff3109cd253d0459dceca8f0da20ee945ff5e95fb18a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
c6412e61ab98e73e75e8b1d79af6701a

SHA1
a0ac0c83cafbd5e027354cf840b4f070e99751e5

SHA256
b9922fa0f1a3201f2932c6cf2915712b9d0b47cfe0bb3d6a3dd0dfa3dd9746e9

SHA512
00d29312566657bfc8770f0dffa640b52a2e513d71127ea831a794d8be3ba041b8a1c42d4f987895c4a183e65beb8e3b9955bdf282a6ba8af35cc0337a3774ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
268KB

MD5
6fd24affc753ba01b262cf56f3c67e2a

SHA1
9d6495c8346f21a26c45fea92f47a8d572dd7b43

SHA256
49ffb85c2a8892e42341d61f17250865314abe2fb00f3aa518713c88871785c3

SHA512
500087910308887846b2faf9d747b927413003c8b2dd799b3d44c0fd14d9462fdbc4e7128ac3e5f2472fb11fdec66043d1ffe982d9a47b4fa701bfd4a6078d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
0313ec7b90323f709f784a3d2a2b6a0d

SHA1
9fe03bed80823b7ca918c5f354eecf062adb6378

SHA256
7c81bab83634af8a361cb4e8bc770ac330b24fa7f52c91c05bc80ee01c162d73

SHA512
9204deeaadf007dabe23a3fd1a299426415bb99ffbb81b2f7a5ff7e6c3d76508404254865fa0d249e674b0286c7cd8f08ffff1ee0247ffa5a19dab17ff4fbb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
ae02880edaf04369fb4e9b7a4cefa000

SHA1
89cb5c55fc611da76aea3ed3010ffe5b6cd59241

SHA256
b5037682862c020c04c7c773f4e56c3e0670ad8a8b1977cc6e681b7978b49f0c

SHA512
0e340f96ab7bbcea865ee66aae838417bf017a151030db82dd350f1098843ead64382345f3b3ca769ad80c426b4610cc6280c0035760cf9eb88eedcadc86ac08

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3704_1035298824\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3704_1035298824\a92b61b0-3cb8-4a55-a2d3-1dbe7fa4ae77.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\865776ddb3e2edcd.bin

Filesize
12KB

MD5
1d989b5bba9bb43a74819b21fc30464f

SHA1
f8177dbc9c5b6f39d9faa54f17c702aa627f83d2

SHA256
f545b251dce9a58f3cc7fa5901cc57e69a1793d910f162508032f8661f6b7f09

SHA512
c0577d3bcfac66763d4484b4a2bfd9eac72cfd49c8dfb06711887b5bfb5b65deba745ca91b0afcd865cdb8be797684685ddde2c33b5f3c1102696bd883c150bd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
de4ff5d4cfe825dd617168b1e44fe91d

SHA1
914a78cae180348e39b828e19fd23172ecb38468

SHA256
a59a7462551374edee52b151a8248ce062d3aacefc7642153ee28e6d0998fdf0

SHA512
35caaa3aa20f6867217652669f0b26f9370c1909f7a0c19e2b6355a884a969e27fd66da2b3fff834c75040a4336b2fbe1015deb5b4198fd8452b3aff9ec458a6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
1827ba92a3518d08fa9ca2bbd0828d3f

SHA1
0a60180a1bf76db6305c407e7b572b42ef83f8eb

SHA256
59f32079318f43a7c4097c4df6ceb9b5b7e4f711967f593aa151a96668d9036a

SHA512
6de5884848762efc58ef70ee52cea5b76dcc7488760eee240197d5f2d9af6742b6704f41e5c80d4b7d0677c81c30939cc385b8245326baa646d21a8236d9f8af

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
986315aa752c10c5d1dcad557942ed1a

SHA1
82a685afb1225136e6579a440a1f7e7b449bddac

SHA256
9fdce0c76d422b9e35be1b653ed4ff297e47d7c02e15decf1229514cefbc2ce3

SHA512
e76c96dcc9f95f73f699d6e6bef0958e676499c47bf2ad98418279c6992bccf478d8e85ddab846ded80a20922732399d38e1d7a0010b1712316fe0b2df6be51b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
133688cb19d013c9fc92faa3fc4e771b

SHA1
5bf703d7dc1dd359771f1c20c3653e9749618a37

SHA256
d45042d6427736113e475d04e1f0bd7eb0f7d708fce35986b9db02844c64f88c

SHA512
b2bdb49b4d1a677d315c3a2526d55c6678b3f920292fa01c0ed95527bd39435134b32c0a64d379610aa45c2502d78c6d39953f3401a7dc68cd3abbba8a69763a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cbed61f9271667870682a64e45d12281

SHA1
61e57ea09099af17ccdf70741677f37995b0891f

SHA256
a9313625c05c1b1949dceb1c4b9c17f479c43f925db32eb19dd78a5a91ed05dc

SHA512
f130071a6f222389c34c93103fdc0d50833419d62bdb5fd800c5fa06e63593c617ae4c95d8c5450e8daf5a2bb4fa1689992ca55f1fc21ec3a2ad62f8be008005

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
67ee8ea9320b52ebe03b95c7990e2a60

SHA1
410fae4c20d3ee9cee4bea517ccc5336edd72d71

SHA256
27b7095bc11d2900af5f1ec508a24baa1336f83071c386bd9374bf9362b39640

SHA512
e31cf73ec878fb0cd51dcb2e271572cf18debd0d9dd58b793f0ba825da3f7b2ccb4dd6139f9c5f1d3591f6f7a238d61b8dbbdc4a823fd9e9b14c213f03e30aa8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3833e62876abe73489217dc545493f0e

SHA1
dafaed61529ca25241b10c0c7923662524a6afc4

SHA256
ceff5ec6388dd0920ac387e421ea2c6d9cb912585a9f84d7de9399c19e665472

SHA512
c82752713c26ae6d2870dcf9bf030fff299ee9ddb28e9429eb49a417cc2441afcb6ca5644f10b77a7669e2079e044ba3c1addbb9e7eb8a31671a94058133a9a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3347c8209cc2f59a000727aeca0d706c

SHA1
7afe1c7bcc2bfdcfe5ec24ccd3126d41fcb2d5c2

SHA256
f7eec66616bd526f964ea6462d098bc39bc9bb2aa137ecd3110544aad2b6993a

SHA512
9699e5e11c11a52f2c55effc564f920f313afc85dc85e5e2a3c95639bb01fd1247b2c58b6ca2d9317377fb061078f1fcbea6f234a0b3e043acdaf3c1d660591d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
dd5faa702d6c34223dcc1eee3d9ffdb9

SHA1
1437d5bba5efa8d384a9dbf8ea1720001377b8ee

SHA256
487db00f139c6536123ccabdd8b64af9af8e6dccf18483e37f32e700adfcb75e

SHA512
c6e31faa18a37c6e5a2743b78a01ee309c4b41c1050bf65c8c1c7213b6c42baad08dd327d8d3eb5886ac5657a5d684d013d7f7a97ee88571d8c4ea22f74e93a8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b5544cfdf162132a30dee2b6732f3191

SHA1
d8a4e30166d7889cb4d12d6522d2c42b746201c8

SHA256
3ddcc878908fb52df29a94af0ee571fde302a7c29bb4cce908c420083dec90d3

SHA512
01af5fd7d976ae73cc2aca545fd005976963c26d3e9662c9a7fd95b8e5931e9be93bc0aa8b55d7843993e249deba90d5cd5b95a038aa731a9583aaa2a7bbd2fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb46dd4d38b053bff277adaedfe2c331

SHA1
b4005535f20993dca51519f02ea0c407be462da3

SHA256
d67bf290ddb706d9d5ccf9a1a36d14fec05242c8a1282b3d1bccf329b1fd70de

SHA512
c7d78fef667c82e01cf862c044de467aa748237177c98ad69fcfd60f371b547802967bbaa2638a924281a0246d52997011199cf68016ceafd68bd9cdd9d4b624

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1c5873d3992ff6a83a61972a726598f7

SHA1
38b51d5640cac3a7eec8bc3661931bbed52bf3f1

SHA256
35b1e9ec48731234943fc5e1c3e2b855fb12c2c1e807833ccf76178102386349

SHA512
78eabde37e38f852d705f52893c19ebc3edc53f5e4117dd38bf9e37aacdc4dd6bdd5eeabd80ba31f2cb24581e29a7ea915a40131c0826d165d56c033778cd875

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e321ad32d3238a3389659c0da4361606

SHA1
754057d967fb4fc2d3d17b89437f81953e7528c4

SHA256
0a4e9e99579ccb1ea241907f4de536e5d22a464e1e3728f51ffa9b90b2314393

SHA512
4d467c1a5a324e34aaaaccf6dcff2ff254ecd7f1d862e60c2da6c1654cfe2fe537e9d0b1f456a06f571bfa81c72b7279e96e68b0fc514f5630faa7e5ff4e842d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
853c45852de3ce66989b1a8db8ec850d

SHA1
b12263834c740db77b9d43baa241882fe6884410

SHA256
42b2f2d7043c241869c37ba7bbb6f143752930645ac9427d2a938f542a94c95f

SHA512
5de535af829cc2948155ec51d8d51e7bb6f1190c104d8f3e839ccd445befe7c0b45c0487f4f35594c25bf36ca8ccdb522a70101de086adcc0639650fae7c82b0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
95c6f8e7524399ae58c3bd651041e803

SHA1
ee470c540328fee687a3d8a3dc6c8bc2efcae10c

SHA256
935971e93f82957458ca061137f5f726edb0be10a49bdba270d0aed63bb12f50

SHA512
a528f3e2cfd39bd465214632d43bc67842347ed063c46ae94546e2a8b225a5c261a191ce514030cc1a8644d7aaa5cbf3df1b7776a3980f31c0be66759d48c51b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1b8b7986dc1e236ae23bfee5b2275f54

SHA1
fd8a1b862663b6ebfaaacca1cef16a0ff78d0f93

SHA256
f58f50f3ff381ea13ea0dceca8519abd084a5056e78bbe1bcb9b9d464e2a8ed4

SHA512
929e74abd8716dc46511c31808614acfabb38fb84e8bb5dd8d5f3f6c7c9d7c8eced3b650a80ae9d67e74955b10780d15face8c89aa517e6398d7b8c7babc8b97

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
ec771b4dc77a4bc080f0edc56930cc48

SHA1
a3c3b0096f1cf8bde56ca01161991b0d4c655644

SHA256
831206192d25f8f20fa0d88ca497d0b9c979d7a3a6eec209d7939b6154993f64

SHA512
8cd76eb93e92f5eb916f1064a88b59a70f2b5afa9d2f49c557cae5ca353e4758389d7a8f831bf98bc4ceeaaab713490b9e6e17adb0622bea4db0128c3c974a66

Download Submit
memory/556-144-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/556-269-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/988-247-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/988-127-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1176-119-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2352-75-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2352-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2352-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2352-56-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2352-62-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2412-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2412-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2412-165-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2656-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2656-43-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2656-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2656-176-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2800-179-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2800-313-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3304-161-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3304-284-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3408-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3408-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3408-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3408-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3908-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3908-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3908-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-92-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4384-103-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4384-107-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/5020-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5020-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5020-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5020-32-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/5020-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5036-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5036-143-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5036-29-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5036-22-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5096-82-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5096-89-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5096-81-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5096-208-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5164-940-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5164-314-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5172-206-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5172-505-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5248-217-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5248-564-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5340-225-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5340-595-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5496-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5496-230-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5656-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5656-248-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5700-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5700-947-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5864-279-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5864-782-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5980-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5980-793-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6020-288-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6020-818-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download