b72bacf0396abcbfbc3c0c1117046713b16b7a6c72075319d8a0bba8a8b63a3e

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
Size

5.5MB
MD5

2aabd48c61e1771144cfca5b5ba25d3f
SHA1

0e03853526a5db7c592753d319b9d7bf2da8ff32
SHA256

b72bacf0396abcbfbc3c0c1117046713b16b7a6c72075319d8a0bba8a8b63a3e
SHA512

c391b26fc0642cdc3bee0b3e973fc4bc9d3ae8c64f923883c3bf59653e4c46f2df971a24718c58614000695ef67a74dd981894cba2488d75def307c1ca7496d6
SSDEEP

49152:cEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfE:qAI5pAdVJn9tbnR1VgBVmGqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4548	DiagnosticsHub.StandardCollector.Service.exe
4748	fxssvc.exe
2260	elevation_service.exe
2044	elevation_service.exe
1768	maintenanceservice.exe
2828	msdtc.exe
3764	OSE.EXE
5100	PerceptionSimulationService.exe
2796	perfhost.exe
5980	locator.exe
6060	SensorDataService.exe
5200	snmptrap.exe
5216	spectrum.exe
5444	ssh-agent.exe
5672	TieringEngineService.exe
5344	AgentService.exe
3812	vds.exe
6000	vssvc.exe
6068	wbengine.exe
5588	WmiApSrv.exe
5892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exemsdtc.exe2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\88531c7cb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2ff75ad99acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cdfe1a799acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045d2fbaa99acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006691ac9d99acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000450c23aa99acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1ded99d99acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d91e49aa99acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608914036215917"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exechrome.exe

pid	process
2728	chrome.exe
2728	chrome.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
1396	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
6164	chrome.exe
6164	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2728 chrome.exe
2728 chrome.exe
2728 chrome.exe
2728 chrome.exe

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2136	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
Token: SeAuditPrivilege	4748	fxssvc.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeRestorePrivilege	5672	TieringEngineService.exe
Token: SeManageVolumePrivilege	5672	TieringEngineService.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5344	AgentService.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

2728 chrome.exe
2728 chrome.exe
2728 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exechrome.exe

description	pid	process	target process
PID 2136 wrote to memory of 1396	2136	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
PID 2136 wrote to memory of 1396	2136	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
PID 2136 wrote to memory of 2728	2136	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe	chrome.exe
PID 2136 wrote to memory of 2728	2136	2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe	chrome.exe
PID 2728 wrote to memory of 440	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 440	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2648	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 5084	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 5084	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2916	2728	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_2aabd48c61e1771144cfca5b5ba25d3f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x270,0x2dc,0x2e8,0x2d4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea4379758,0x7ffea4379768,0x7ffea4379778
3⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:2
3⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:1
3⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:1
3⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4444 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:1
3⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff630167688,0x7ff630167698,0x7ff6301676a8
4⤵
PID:1388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:3668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff630167688,0x7ff630167698,0x7ff6301676a8
5⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:8
3⤵
PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1808 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:1
3⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 --field-trial-handle=1888,i,5195570423363093947,12863488947378720272,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6164

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5200

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5608

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5588

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5892

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5748

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
4d5c5b592798eb698ef3e97f7918851d

SHA1
79306255faa1fa49f0638786219b353a9cc55c53

SHA256
7210f766512cd666ac2394267d679b524aa9dd4bea05e26f80d587031c7fd77f

SHA512
5c2836cbdb274a22b6f6c336ffba185bec13fedee104f90d3d8b21f2f395c533548312744df09379b05c4649a8a613635109bead0388fff2bd519ea6ecc50331

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
470ad57aeea568c00c6dbe2982dfc9be

SHA1
4a21587fbf87c3098a8326779d8cc5b854b9c545

SHA256
b4b191dc635de2b6e7bb59f518a6446c73ce91c53ef386d11ed0fee53270fe94

SHA512
8f2dd79d52d1159527280cfd8cfa61939d0350a9a6a7033cd1ae565895aabe8f3ab4e7571493688e8104ab2cca99b4754d2909915aad03cb2b86fd8c8de931fa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
59c2f790c482137c53332d7e953a05db

SHA1
171fcbf7872f41f9b0e2f79bf6cbd133c344df7e

SHA256
e996b03b23d4acc7439ea553d04455d4afe076f87e7f4dd05c35441c9ae82cd8

SHA512
79eb1d8fb72fc37d2ec40e2412e4ccbf4a6d3b02adaa29b5af12733f40ab3ef3ddf1c84a26bcc78829934652892fec96dc0255b2843242080e7d7530c56b185b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4a4fe35e16feeb442dbc499a7964d453

SHA1
27c00d2744ac941a13466b89e4c2be8027fed8f5

SHA256
dd980988199676d2b4f1e6b0345fac132474c4cf933c23a01494399c55e35b8a

SHA512
8586f423ab36253ba60cbddcd454f2a208cd41ecf6e663f3f1f47707dc053462e1fa8dcff7d7dd996365ffde3f9f17601fe650d651cb62985c64e6bc98133ccc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240522224329.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
64611a434eaee9b3119d74befa776ed7

SHA1
90428bd4ba29cc4c79a3379c5b5e432e64cf891b

SHA256
0aba1b0409a7299c18a035e8ffffc3cf616ca7b9743499fb1738e04e1074a64b

SHA512
baec196dc0b5095b4c1cc7694b77503fac4e131903bca942ff81eba70005c6b09ded13cc5a48a13c5575e67f1aa06806c014d15db464f9bdcee0bac5f10cb7b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
987628d4d7e4c99cda48e0cabca3a182

SHA1
251130e57cb8418709a1ece3733a40207e79c064

SHA256
468d5e9116db29276811b3e6ba874beb8688d103ec232aa08a95fa207d3980a9

SHA512
a962b7ecc6826eee7c03f5fe960285e6cef9812ef38b0492dcdda4c5dcb9c58c5491e88068927b9b186ebafdf78e2e0247ef1889a74e03adc1b9e82b03a25854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
5e6e7517a1612fdbaf0374c51963fb29

SHA1
8bbf10c406c4f476f6e0890eb689c726f70d44b4

SHA256
f7f604d844d95703f5cf1f93ee2bbaa8cdf6aabe35dda15d147639b74b5037c0

SHA512
510503d5e06173d58ef65dcc2370d23b42cd87d3fed6f8f4bc947b6868316a36500a48313585b1361fe692f9b70b361ff722f43012a0641d09baf0f9e63daacf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
496e6cfff90871c26360766b91e30931

SHA1
2f25c6ab90f46cfca49366c31abc9a0c9ef285c3

SHA256
048917093b63eb5e7aa631ab27203a46a30735f166f3ba2aea59abcfa000074b

SHA512
e5ca6dac245bc9a423f7b31d5ff4143060d27240b6cce8e575e7b5a4558b98f2da874ce178c155a9e508a774127b1f6ffabdc23db1298aea9ccc681cd3f9d783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
27b22ae814fc24fd3359d1a2d7ce92d4

SHA1
5ba05a81453b17e00ee7ae27542c9121bec492b0

SHA256
114b654aabcfb108b5d5f7ca56c293356c8ace4bd82709872535dac98cb498ae

SHA512
9e746c79e6507d5860ec5b433c1826d263375e609f4aa1444655cfb5e59b8701e67e8d965b94a10f06c7b32ea3b1707c0342c53531701160b5ee56a44d334918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
37fb58a2111de96883158f7193782e14

SHA1
78123c41c0aaf88253ab7327bdc4058c9e8d7442

SHA256
94d93cb16970f8f7691919a5ed715156a7f3deae9063f6492ce58879bdeae7e2

SHA512
3cd097c25f7a58c6fb2d2366d55ea2951bef782f6e5fdceebbfcc21e28d0484a7ceea4f442de9e3f50d7a47d630c93e9430a265f5d3b41ed8cf520b02c5f1498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57e697.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
294be3c8402f94d641f83c15defd1181

SHA1
c90f44a1be8fb985c4e82a7edeff91d7087a5d65

SHA256
d452a5859408c33dcfab3e92b15f0a0208fd5ef18a9df12aaa514524f32194c1

SHA512
e30c1988d89a6de6ce39ccbc486b44760c898e8828ab9473889acccff91b204ed2dc2ccec864372ade2d64e363b22f07b5b94045b27ce65b8d039382ee96442d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
f87ba9c1efd82c50927f1c3aa03e7db2

SHA1
3a50995ea32c94a7667b56dbf6989bda04fa932a

SHA256
e9119b3c62e36038d8508da9fad15d0cc9c10b8b4048e281ddd136d78df9e039

SHA512
7272a9a5762fa402f85277f340e8a2b563278ee2345d36dea3c3d0425c1764930cabea9d6db82b9ef83df3786a6d7c19561e33f1420cbf16564ba8c199228117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
9f2cfeadb7732b60aa408fd07a030881

SHA1
cc0c3bcd1c46e3308557c820159fed762be1ee9f

SHA256
ad1fc760aa7fd567e7b901d073abc3bbd5f122a466bf7f1dbb6eca37fced7aa6

SHA512
5e70d86569debd08fd98531768c422dfc84207a188a5fb28f5719b4e2da0e4e5c4848206f0e6b24cea82e86ce98aa48d6ef9eec6fb302dc6c6ab971de72cb6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
48ddc5688d759211c978c15fa3fb9b8b

SHA1
fbef4e644ebc391c95db09cc77ebcafc87401404

SHA256
89d6c630fdd490fad26a712ce0bc77e2ef407926ab8c94445a1aaea5fddfddbe

SHA512
62b8fdb8f8ff74dee1a1f82aff7790fa4cfe010ee450c318971c97906819ec0eaa55a0abcd22ef850b664476384af58f19833f303d7a108c6c4ae186ec7e8a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
6a73c604218700b6c2f0a454ee21da4d

SHA1
74a68613aabe2575d4a49c94af42b3f827b8c178

SHA256
ac67c37624118cde5fe9363997a06779b946975f57bbf1f538ac89272eae04a5

SHA512
c1d91fcecdc766b57ed28ec4c9324774dc8e186c6a4a23685f76faa013d56ebf79afd31df803102d1aa4cf2e0fffda081d1fff771486e71004ae98661aefbfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2728_1617071841\49556c1f-7bac-4503-8f95-609a59eeea8e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2728_1617071841\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\88531c7cb3e2edcd.bin

Filesize
12KB

MD5
8c65e57e9ee045c637327449d4fe6f5f

SHA1
cdd43a76bbe741ffa6a202b6558f28aae6c39b8e

SHA256
2331c9c5b97519c77d30397b8a22a3b16ac5c53ca624cdbcadd8b254619599d5

SHA512
483abfbcdb6e5cb823fae58004be0d2d3f23a1015d9a7bb0c42a071eef0d96e0fe8e6c154508cffeb8dad0df4f38adc1dc0d7d7ab7444239216b269ea5878b1a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6b95b838c188a728abe9e675a9ab4fe8

SHA1
6da86abcfa9791d5f30334cb08f9fb15317cba96

SHA256
f49a3dfc66d66157dffb16024f686bd5945eb9f634292cdbab104af548e775c1

SHA512
43621081cc22d24521a8117b565861afd7055ccfbdad5ebbd41138d5dbacd7af72db67c5b50cb2078d2f86cd3e99bc749df388df018d20127c24d0c128a8ca9a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
85633d45b5f479a4bb468d86428d9836

SHA1
bc72a702c9e4122b99dc6b0c70c1d848690df365

SHA256
5e60a9bfc71c42a93f385fff8741581069adebce862468d906887bc07c02eb37

SHA512
b46a66a7a5abc12064b8ab66c4a5a985b7ee7b2c9ba98c2541ec1c936b34afa5fceeca67b273ab4e7dfb19effe8232f316c0909a7909b10d845d464afc0dc693

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
215e1d670e1976dc4f62b39302edae78

SHA1
c50a628af6a43c9a7950d8996f3fb513d27921f0

SHA256
4902c34e0a78c4c44eb49df52bb19f4bb493146e19aafe1d1dedb2c45922de98

SHA512
f8671747a084c6d1b9c480f2700795546fa37ec00efe40b6bf6440a87ba459b24d6b5a8e62283523860e64fa2c9797e9dd0c396bd9f16281075cf6418025b5ff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eaacd54d9aa70e26139bdf3d9bba23f9

SHA1
0b2e81173d91d08c144e7f8ae62b4b80c6c44a1c

SHA256
7f50cdc6540daec5f53f62c6169ea915b9bad51b034c687ef93834f4ffbf34c6

SHA512
7cf4109de0a0f0d8ca20bf7640fe4e0fad3af940442063d96b89d89c1cae604525abb9d8684a328a49eef03879acd4752d478304a42ef61d8c83c85290a4ec84

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b336b9a0c9b52d419ac6371e53afefd3

SHA1
45d1723e1da599b62c061a13f0156af21cbca6f2

SHA256
8a9cc34406147244fc9ff89b5b73dc3c6db26136673d460aee3e2ab4a17509a8

SHA512
11c78df8eafeb76c3e182b59f56e765583e90e5ff88f29be94a9c77ffd169613e20ef52a979fe493bc2303b42429451e54c00b28469711a5b971f39f68d0431f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9d13d1110b04c3765d5fbb5f30337817

SHA1
3d30229e2a870fcf098623daaedea74c5fe62aa3

SHA256
bee49b95c5fc5ff563f37e0c8533f1b9edb44a437b88f7ac87f191a4c8b43ccb

SHA512
5af1e66d36f4fbb843c92b92d66c976f01db9c2fd53a52bf5a838f4cede9fd609b7ec816658f4928c1c2d612e58563ae8d2cbc12392bb9d6ea6e9bade9c851ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
65caac4002df6e21bc69048d1a0e70f2

SHA1
56172c8176677213b7bce62581faedae156a86ad

SHA256
8df1c590df2983c05c4e09637d971600e5d25e7eba05d6c189325fba578bf1a6

SHA512
90a0f89eb1c8962acf4754177ff2e983d11ce31309ce0dc9e2e424bb6247ad0aba0911ed1607405070106150912e4887bb1781755411c8ab4b0e3614dc22945e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6b3cc2c4885aec542995c5dbf607bafa

SHA1
eacc8799f09cf0f2a9d07c5a72fe9a04354ca610

SHA256
567198fdc6b5bef8f03eb90120fdbf1bad8295ee2196cc540c3194c061193f17

SHA512
c1470b4d336e976f4bb3ee2cd3688530a63735052a431432b42c58c45dfee5e14e465da72ae2f9c969351c35cbd3d2af00527d15805f3bb1831da814d5433eac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3e73c7e1ab4cca3a165d7b7bf7517fe5

SHA1
ea886974e71e94e5eb4545e174a9b1aad27b24d2

SHA256
43e40168efeb7172d3b4dc10e35ee2c9ae8f2d7be76d42e4ef3b76e8af04c676

SHA512
9fe0de6640ab3adb6996d2f7e3d8e3ca65a8e93acbb31658eed3cd724ef515585f0624d197d4e8fce0c2604108d87ebe8f22f0a92b813c7615cefec3b4da1f4c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a91f2fd76c677444839394c5457bf610

SHA1
88e289b6de5e7cb58541cf5e5d36fb9730729858

SHA256
de8e448e5f824fe8048ddfacd7b7de6068c2f08681f4f1a9b31c5e48fc413b8e

SHA512
8b72bea18690525fb1aa156de12b3dfa36697a956dfaa14f1e846bf85a8b88f403bb04d51e1371a96e121ab932ddad466e6fc84c44567c072bff91537908ca73

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
520e829e11f920eb9be60910b5e35494

SHA1
f2ac5d469a601b1afb3dfb6c0c7efecfee177249

SHA256
e347e767c1a862fa591b34953b76d700d245ea5bbecaf53f83330a24a5916419

SHA512
e5e2c83fc64d8d96df69fe21ec4191ff6268940e7c305a05fc15bf9b0497728ee7d662e7b7610d12c7bbfaee5ec010703643a2f54588042f0970122b9b374800

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8a3677144f706b0905db4d6111989d04

SHA1
90b1ec337ebd5dfc556b667fdb6f9c49d5c93ced

SHA256
81dcb881d1e65c60676abbf2360ad8b7e19a900a48790d9d35d8806d0daac4f5

SHA512
b218509d0dea5de9f08fbd192f566b1651b39b4676577f4c45211be8563658bb204da3dd66a96d5f3495c5abcb01aeee62a5f42b32d921a82232c993016641ca

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c42ac4bf53c3d7ee6d91012e2a16d508

SHA1
0a46be1289e4da79d9546d66fb6df3b38aab3264

SHA256
d509d5e406e9a82deba6204a43770d97905fac2666877a6c900f4db60c59437c

SHA512
d270ed28d127db0504a2792d6d3a06346b33006b25c539bdf6f261c7120551ae608bd52a295e5a3dba0bc865c8d0f2b2e9107294093e131161e8b6fcaa41a806

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7ce6d4b15bedff6e2d5a90d0dc7bb0f8

SHA1
dd3f02a3451a015dbac848fc69c4cf7c9706506e

SHA256
0d84d7c7c943d0054051714ffa88ab4e948c5186dce98f0273d2983fc55730e1

SHA512
95587a4e5497d79ef74ed79cd5da259e5052ed367f5a3e30b4c8a3c87f6561d861a117131b0236ce1dc0987eac4490a50b9b33feaa7548e050057fb3ea86198d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
945efe5d952085c5988956312705532e

SHA1
00718918df4c9f4b411214b0289f0df2c9113ff8

SHA256
b2d1ff68910661e99d18e0a249061dcc1e729478f94c98842490d4fadfff717d

SHA512
3483683bede44142d867dfef0ddc43b74b89346117d667717aa3990a0b241da7c076ebb15f3edeaa88c0a05e01e75acdd204252b9d2c3231d1eba0d3c2382d99

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b5ea408ec6c3dcf58517ae0b07adc471

SHA1
adb00392b4d04c6f01ca23464419f9ac808ce724

SHA256
d5a3f00fc44b5e2db3f18ee2bd231235ed048a35cfd6b9b5ab7cd5650b7413dc

SHA512
fbc57a788a16d916c6657656f05f5f74fbc1ace1206b5ca145af32fe147d924da6d38da34eb3974b388493e5d2872b9f58ac1ccee85129a509113488c972570d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
666dd61ebec59654632297b19ddd07c0

SHA1
de084b6a2995349214b5daf7e588568c2ba2f656

SHA256
d3a2953e081627cca72ae261a522ac3ca8eef739e5e9964092d19ef49615e19b

SHA512
637874f5bc46a059d41c6c74b075397a817fc67d34588649354b0cb7456b662c544e21acfc1ecb1c30d433bbd87ede255a8a951bfa2090f7e678d34cbfafc8b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f616e6e25b42cf793fe83a4530831250

SHA1
62db43d8520a1ddb9e22e075dad5fc2eac9f7fd1

SHA256
3b0b09f29e2a7fa4fd4ae31507aa8860cfbaeb6d43f2f447b5a509bd6a257c72

SHA512
7a6aa6aa2e00e1e14e06cbb80c080877b035e62a41f318d44bdad393c748bace3c29808cf2f9c08031de126c78b5546f0975eca318e674602d3db206262249c9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
\??\pipe\crashpad_2728_CSCMUEGCZFGRNSUJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1396-11-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1396-141-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1396-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1396-17-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1768-106-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1768-112-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1768-105-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1768-117-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1768-115-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2044-319-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2044-81-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2044-73-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2044-79-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2136-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2136-6-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2136-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2136-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2136-21-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2260-68-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2260-95-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2260-93-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2260-69-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2260-62-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2796-225-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2796-403-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-343-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2828-120-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3764-367-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3764-163-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3812-688-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3812-418-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4548-42-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4548-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4548-205-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4548-41-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4748-53-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4748-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-57-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4748-47-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5100-186-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5100-380-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5200-476-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5200-364-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5216-529-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5216-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5344-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5344-415-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5444-381-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5444-535-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5588-464-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5588-787-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5672-401-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5672-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5892-806-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5892-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5980-460-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5980-337-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/6000-733-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6000-429-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6060-450-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6060-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6068-784-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6068-461-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download