c5c3950b1037c6997b44520079c50194da01caafa68ad5f0f8116d9ac7711187

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
Size

5.5MB
MD5

459066679d92cf8c3be804d58b6154b4
SHA1

347c2102a19aba6b9275474703f9f9e924ca8209
SHA256

c5c3950b1037c6997b44520079c50194da01caafa68ad5f0f8116d9ac7711187
SHA512

a2997690d46eb8994fbe1f1d2f680928e022a3e5ffc4e9c8b92b7a6e9f498ed13e72e88cf7bb80079102ac7f1bd5b828afca5e6b7a051fcc467375a96dfd2ef2
SSDEEP

49152:7EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfW:nAI5pAdVJn9tbnR1VgBVm669CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4200	alg.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
4504	fxssvc.exe
3752	elevation_service.exe
1104	elevation_service.exe
2212	maintenanceservice.exe
1732	msdtc.exe
4304	OSE.EXE
3380	PerceptionSimulationService.exe
3272	perfhost.exe
1004	locator.exe
5208	SensorDataService.exe
5304	snmptrap.exe
5408	spectrum.exe
5568	ssh-agent.exe
5744	TieringEngineService.exe
5888	AgentService.exe
6000	vds.exe
6076	vssvc.exe
5320	wbengine.exe
5576	WmiApSrv.exe
5960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e18eddeb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bccd6efaf7abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb55b6faf7abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7eb2ffbf7abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1319efdf7abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a989dfbf7abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092ec4efbf7abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d334bafbf7abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608220117058093"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e34746faf7abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8272bfbf7abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

chrome.exe2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe

pid	process
892	chrome.exe
892	chrome.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

892 chrome.exe
892 chrome.exe
892 chrome.exe
892 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1496	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
Token: SeTakeOwnershipPrivilege	5044	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
Token: SeAuditPrivilege	4504	fxssvc.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeRestorePrivilege	5744	TieringEngineService.exe
Token: SeManageVolumePrivilege	5744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5888	AgentService.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeBackupPrivilege	6076	vssvc.exe
Token: SeRestorePrivilege	6076	vssvc.exe
Token: SeAuditPrivilege	6076	vssvc.exe
Token: SeBackupPrivilege	5320	wbengine.exe
Token: SeRestorePrivilege	5320	wbengine.exe
Token: SeSecurityPrivilege	5320	wbengine.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: 33	5960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5960	SearchIndexer.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeCreatePagefilePrivilege	892	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

892 chrome.exe
892 chrome.exe
892 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exechrome.exe

description	pid	process	target process
PID 1496 wrote to memory of 5044	1496	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
PID 1496 wrote to memory of 5044	1496	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
PID 1496 wrote to memory of 892	1496	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe	chrome.exe
PID 1496 wrote to memory of 892	1496	2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe	chrome.exe
PID 892 wrote to memory of 724	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 724	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4476	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2760	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2760	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 952	892	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_459066679d92cf8c3be804d58b6154b4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2a0,0x2ac,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b3029758,0x7ff8b3029768,0x7ff8b3029778
3⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:2
3⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:1
3⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:1
3⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4844 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:1
3⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:5152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a8fa7688,0x7ff7a8fa7698,0x7ff7a8fa76a8
4⤵
PID:5992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7a8fa7688,0x7ff7a8fa7698,0x7ff7a8fa76a8
5⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:8
3⤵
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2836 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:1
3⤵
PID:6508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 --field-trial-handle=1896,i,15666247480490487663,18173476856186499246,131072 /prefetch:2
3⤵
PID:112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:7148

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:7104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
75c6968d3661c43591ea248dc76a5182

SHA1
08114d32658a1ededa7d6c87999df597cf2473cb

SHA256
c82892dad68a9c5707885db536d3f722b5fab11b1fab254889cc98c0f410da05

SHA512
3075d36423915523e088016dcfb09c09e67b2b8cf8262e35531d4369930a92aa77dd43dba37e707d095ff24a0ea30d6057787003d47b9eacac37ef551ad9af88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
56e96176fe9d1d72e8c07e82ed4801bf

SHA1
4af64757ac8ae3dc2c154df7f949922694055c8c

SHA256
df7f8c0bf1e0c9bb28163807a6d13c2fdea1cdb66e5c247e86bea3f0c1637a32

SHA512
8a559cff9569bec4fdcfdcdfa907b00251801d277c8afbbedaa52fee1bb70d0e64a67fdc9099a2f44c4f2c3e845e580741402ac5b660da45cb7ee8a9c6b359a1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
59b8dec70ecfcc4f12f4be2cb0653ed5

SHA1
81dd8af78225a2f642f4dcef554df9b8c47039db

SHA256
c3cbb8a46b9e67bf415ee56481492d202f678273e88c7631f20d9cdd4e51e2d7

SHA512
dfb2a304d2c938324f1390075feabe279f81cdb7fcba601fdd7441dd8b6a0956ec8844ddfc51e526584c53985d29bc55da4c448d9474fb1735a51fd623b09b80

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0a5f6953225d5239c645ee11731d208d

SHA1
321f14e4083286e60e8c928c1dbd339e86a809c0

SHA256
25cfcbb21d2ed8cc01fdfee2bd4c3a339c6a2054eb2d4f6656476fda17d64875

SHA512
5ef5179591ff7d81ff6787d92b8614dbbb4f9660e66a9fd6043fa3c7553dfb6d4eb9caea3e8d83b1fa21c4d53ea00982f38fb25e7dbd2911d0168b770eb4648c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d5e7425f2276330091a56af2fea182e8

SHA1
eb1acaaf80d99d75d3128e66907a1e72195b6405

SHA256
fd4a0c323239ff897b154a51f4eeaaaab0e54f2787c8cbf64fae84e633f0c4cf

SHA512
63446a205e2b3ceb8e34af6140c4e32f8f79ae28b1063c26aaa50ef6dcc163ee24f58b5c73ae1477166255c2f6c1096b327d6baea6b77518d51c2ad517e3aaba

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3a54f2c7ca7b057bb207bbc053fea0c7

SHA1
55abb5fefedb7819870da338ba41320432c6f7b6

SHA256
2fc2c323e344d20f60511de324fa4bdf9d6c3f6c918ec6b6a442b35474c047d0

SHA512
fef978bf431cbd8fcc3cf9692eb5ed29f714fcbd810e5dcbeb8d87e09f2a308d625a8205eff56516db8a5129b872bfa98fe633087ec475898f46de95243f42aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8403b01e00f56e4f22fb0ba10b91b6a8

SHA1
9dba7f5dbcffb9957b1f9cf1a34b897b21b01956

SHA256
f271e8836b4ce531296824443a2872f6ec57c093094f0a8ca5fb1ca2677926a8

SHA512
4e80bf6e3a2c0f9212e1343aec34f02cce53c827da845b26d12f2c5166b0c173007bdcb7df3fba820dd9c85615463fe3754c7b31dca1ec591c699fdea13213b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c3d4116fe38add8695d10b798b940db8

SHA1
ce0c46c8c86593ea4849b3d8e33b0126453bd6b6

SHA256
35e57203d4f51e63bc605e81b3e13255017aaab08ba5f1730241e097f5f06aad

SHA512
9a7f773038f1bc0d205779e665ba905ebc878e693e62dfb2f1f318fa6e6f55afeb7e5e50645c8f4d32259fea7f5c28f83a365d63d9483b1113e32778a5a11acd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fa2636cf72a03ebb27228ac23bd43ba8

SHA1
ddc2365675cdce1e7769c24bb2f1d6a7cc605a34

SHA256
cbf01eca00a4f247f1ab02d9c43bf18cc412b659eee862485cb6718c2a8c7101

SHA512
8d0d641c0afbd34df873035188be7ce81c88dd58bca3e0164dd9084cea5a31e4b8b3ab793ce2834b5359f8b818f3ab47fe0fd67ffac82e5da98827950b3039f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e659559c78a5c8cd71201b32fee7a10

SHA1
e3b81a0fd3736b6c6a5db9cbdb8e725c99c3f68d

SHA256
ccbc2f45f93ef5fc43ccd6bb20cf0a5af162263adf24040c19556aef884e3e3b

SHA512
ac5407bfa0edc21917a338995c7d2cdad06e74ace0837a3011781b26c43a802b5e9fae7211dc5ef043c7cf44e229b43a8b5ea513d6188de8ef26b0cba3b046e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2cfb40c252239e4cfcd48c653ae69e3

SHA1
f4a6c8a8ccaeda6ce791dd449fd468511a622b54

SHA256
f329acc71d8e6615c9d1f9ff86f3373ed5329fe45c550d8ba5c351bbf442b211

SHA512
5fbfe93d805406f21f27159ed4b9e09237a7bf06f05f360bccd0f0108a3b60a5cd67bcc82731270e61ba2a2d4b1fee36da86d71520541e327918d4b0284031d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9d0a6aaa0ec6220f5e9bdbf5346b6ad7

SHA1
266920ac2dc080c5d6d2778796a9e94b033e91e7

SHA256
3c6090f22ee8d47a942322a2658e4ae0f4318bb00421d2f5327fee4e70336735

SHA512
64b314ad7f2c9567cb054eac9147d9a06d3eb2a0cee2a5e39f8d7897a3d4a5a31ac1e59f7d5fa84c9b28d165dfe2882c878e97c6a98825082fffd35bd27ff105

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b9dc00a39b915d677ee7ba19d1afa55a

SHA1
fec5a12cd9c1f76f2eb6633502e149792c54109f

SHA256
f7ab3be1d8584faf8f27dc02e10568838ae37449c30c7bdd13938d0a3f601517

SHA512
79b1d7ff6356f7711e73783961c8a812bcf3c0bb31d69de44a7e55e0a612d2d062e1dee7d1c783e70561bb68766397b3c3e256f29851bdaff92be74f57a7a24d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ea9daa04-3eec-47be-9bdc-87872094b7c3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3e909ec51c40c25e3bd546367c7c8779

SHA1
3b4214450d0324638d821b4164cd177b5f6b70d0

SHA256
855337015979bc0bc47de24a23cd59104f18fd214780678b3a9c2e4e35e3e7ec

SHA512
8d74dcdfd591690c7258f37ce5f913748451a8d115155ba8726618d2c554103110be8440cc19f80b7854c9b8c744326b4bc2cfe5d376336198291f35589d914a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
679081e2f2a541fbb9c6c0fa9fc74e09

SHA1
527c00323652ce42688db1623eac7bce62ff2c28

SHA256
f4da6db31af1d7330785bcd7dfcdec8a39a2af4e078f5aa674487014f1009c69

SHA512
13b8acd22bf62a80e962056e78c4c32dc95b4696ba6fbf25b6e56bccc1f33ea1ae98b534ca9063d8d72de242b884349c5421b8b0e29e36c5bd312d981fb9556d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
2ffcaa33253b59f3a24812afa8e13bc9

SHA1
5268db66d3529d6a0d9f20206791283f59bbc3d7

SHA256
0a38fb153a098ebe2cf6b149662acebf58098afb5ae5bd530602abbfffa74c1c

SHA512
09e2dd712d2387233e7e6131201ea053917ad847dbb03d7eacc84a12ef8db6f056b1d79565d9ec421f24eae04963b4e1a246c47b889eb31f79ca178e0e981589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7a202ddbafe8d8606455615606780907

SHA1
24b8910b8d1ffb980f432f363d53b56f4a4e157e

SHA256
f3b03093b2c099eccef7e43752c6fc43f9fcbf112f8cf7489734caffaa2a476f

SHA512
1b2af717e7bc1a64dd408f8996297196bea353da75e979f81519b62d654d7d659c05b942f300810f643e11faf21625a43a5a939be14b46a18f070d21bcd90f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1ddfede3c7ca1cdc829af1f59ddd22bc

SHA1
21511148835d00e491df1ff3417201a69aefe465

SHA256
fc828e31c9c4a79d97016d41a8eb6e2cdba77a31d65b3596fc50610d4c19a946

SHA512
7696739d60de6ac06027b4cfdf951ec0ccb4cf066a890eb6cc461e7f6ea78df98fa78d125f85e71d276e0b5f3cab805b3318a03b63c80bb96711923ddf7f18f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8f39f71c69d658cded9573d8fcdbe052

SHA1
c59a34ec6c7f9be0b1e9ec921d8ef71d611d43a3

SHA256
c3fac379cd2493bd9941f51312c48756b17cecb2dedd8841d08116df6909c569

SHA512
6727033d7db50d57fb20b4c7c69e34ee1f49c77f50ccc18837f3d9e77806478f643a03ef40745f41a1684116ab382339cb91d415acd2934343754c3d7391a6b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4f50abdf544235c8652c43fd7aa593a7

SHA1
5a3502a850082f480939cadb37e131f426d7442e

SHA256
7984ace9687488f56ac22704cdcdbf3181aab57058f9f7d1b4aa37d4be36236c

SHA512
92f0b135a211b80e7d58940cbdb8af8e0decb78101229619aeb5e94bd48aa89ae861038345f7b435bc785ffca009ea70fb24d90babff0b3452816af01ca2f4de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58267e.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
6e8fa7825dc9ed11d14e264271759b46

SHA1
70da8f85a7eba63047693b4613d571e0695c0913

SHA256
716f204651352e46344f389a6f0c343c9f0347d4af6aef7ccf054bf51890533d

SHA512
ce1827c13e2cf6a5898d1e0fd3a879887714c583cc6d1611e95d03c741527db56c9094992a5110eabc7a5650601b40760e22f0d24364569c52bc6e565236e37d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
e916f1c00f256cbb22469449ab23f923

SHA1
176a92f05c5b76cb41962e54a86604df57c9b226

SHA256
926b842a076a0685a9e395cec2768ef5803cc57791d05932b0482d78aefa0e6b

SHA512
90f578dcd359d8a01d7e1e707d8e8efb65e4d013e5d47200fd4e5c6808559bdb9811d75f0f17dc63504afe7ca057d48047373bb430f1c8fd7719ce8715fe4290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
c34fd39f6b817919f8d322d025ce0a97

SHA1
abed0ea3bc9b2d5ecfa23b1b4b34200a3c77ac96

SHA256
7091717b80dc104743f98fe4ccd589c49f0b820cd37945a03a61c4ce53e087b7

SHA512
f2710d47e7cd6e2e22a5feef76e1f36f21a29edcc3a36f06d443505d767935cd18cd714b7408e5894b882472066b8cbb631dfd20e56a5eaed99f25214f24a335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
b19bf5c0656b885bef37f5c821b1c39d

SHA1
c5d854b440f9463b2b77ff7227ea5ac1615a3b7c

SHA256
ceb8be26065780fc8e74ab56067d400f626b83f93ae5a907a60d0aaf2188d9db

SHA512
a7d614c5f4c6a75712148254a6101223ceed9db9bb0ddd6fca10cf1ae78cd0032ebe0ef703e9e2acb22215ffa198994f3c933997ac473a270e16e434b340d57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
3b6e07592aee4ade5a6839123aa63ec2

SHA1
8451c81850edd4985ac08e9bff2385839b78dcd6

SHA256
1e3debeba9f8c3bfa8256aa69c59303b016f3c842ea17ddb918d3e75f4780c75

SHA512
f49cd461f2c3b21c42225c889b20576797dc18e51fc614a8c338f3f793edb6574e65b0e52acbd6481c10d10d7e0bd5d1b293114e0fde2544ae765c09122e3014

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir892_1227851285\4a8f142e-0a5f-40b6-9db3-078e5f20965a.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir892_1227851285\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\6e18eddeb3e2edcd.bin

Filesize
12KB

MD5
a6aabc5c2ea4604dc72fd52256b78173

SHA1
a4ca3275b16990c001a620770d61a460a1a393ed

SHA256
9b38a92b40920c9ff89db745b544651060f96f7484643ad4322ff6a8cea7a57d

SHA512
c152a49ae1339b1606901a939649c8061408b643aae1a38ea715c5b8bd9892e0b1c4fa338ba41df41c21aeabf4547329857dff37775a312b78b9f06d47616934

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
66f156df986e0989096ab899f2d79f7c

SHA1
a9575aee0b817e4b975b6909f85cc62fc2e52436

SHA256
695fd581b16607266ce909c42100b4722ab5640a91345b6ff279a2d59ef362e1

SHA512
886e710bc58bcd71e60b78b4e7336d804f6ea38199ba8c7fab0b275b09d1f47b4f947b98e4732de9ebe8b7f4c2942cbaf073a96bd874a407f06a3ca611f8fce8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
66f55cfbb6f6f441dfd7be742648d2f1

SHA1
81fee18057b75e65ed4551d2d5b49b501904ddc1

SHA256
e4904d70363e1d85894d938ab27a404df5359b207f492e3730474a3876a55a94

SHA512
f02f8533e7fd843c5bd903688bc1a9f28de0c6298ffe59b47b9c68e85f2240177bc2b9517d7a1730f147b25037051f77ba235055320a63376fb42c04abbbe442

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6c252de1367ebce22a0a09e854868eca

SHA1
9d5202cc1b4853dd590c5bfb13d7ff0ec7efb906

SHA256
d459f22dc3f9daaa75e72e2c5e8a1bd707a0e6ef699d75c6b3e4d1865917ebeb

SHA512
4b951170db265dd948c46f6b2c69bc154efb00f1520b9bb67de5399fdf9baa8c11899c88f320c0352fd1ab5a962d7cf7fdb23dd73cdcfd1eb92243acc57e5078

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f3b53d6a918b147bc4732f426d6ae056

SHA1
4359413089f1965489153f5c46f0df98731fccc5

SHA256
6c1ccad272c7c88a10feefed1f1b96b21a680767e707703df51cc82792a97b92

SHA512
9f63215a912fe8e0f6a5c8e276718db3e9fadd449b9569092a655a6f18aa32e13511cbcadc1c68a759eb64df82f2f9e4a7ec5a4c8f931f2dbce671c59bafbd94

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3f161b6fc51a1f700386bfb492f7f00b

SHA1
1865f417c04743c6fcee1ba03216a190cd1d62a6

SHA256
bbfc5edafb43f0c3b09dd48ec5f7fc4e016e5cf216799d7e5105ca8e6c5c371a

SHA512
de4c74faa687c3017ec1143aa6d38b21d3dcb5077e0bea12232852e790e8654db70e1e67045f6f6c4cda3fc84f46f6c15b99b88cb0de21ddab2a5a5b7ad586bd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ac6effc3179819732eeb67b352497ac1

SHA1
6028509a17229caab7c5dc262a9df3d8ec2d17de

SHA256
51e05b467814c982885eb1ab9b90f2ad707db4cdab735144936c8142b7fbc901

SHA512
0242bbfb248028acc39db98def9e8adf81c8e36f92b24891c606342dc4b2d700a3b8cae8a9623de6caed12786a2eaf324eee41fa4a8af773ed5fa1a20d6f138a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4cf746f2b8fa2e0b3652abfdb364432c

SHA1
e6c40b4926135527d561b2e79f036237d50dc1b4

SHA256
92d793783dc0faf20bd0d85187841126529ce8f8e5827f8769dbc4591c47bc89

SHA512
798cb1085056c8e0234a58dc1bc95a37d25dc52010d842c6734ac17b18876535edde832639cd100186ba90b1216f2210b4879f49d5b34003d6bbb09244c4f7e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
68680552c1c29e11f016fc798f010be0

SHA1
56f2669861059b825d1f6225022dc77e205293a9

SHA256
92252ea32903388c5338777190a70065894b130e15c2a6b0742abf505ebfe8bf

SHA512
5db5062813a29c7bc051c861f9a92f9a7c7275da975d61d19d4942bfd0df55a95dd68ab83c3e27412b306a7b33f55020524ad3bec64caf82a724c89a30d326fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
75818d075ddfa16d0126c719835f5682

SHA1
505455e975fc8f79589f4f03090f55f7b986c565

SHA256
a7af2d88165616bfbe98fba8582ffd1af5ec8ebafcaef44a6dcf9cdd48be7cc8

SHA512
4f40127a166d5bc0d18022d5bcd36ecfc8e7ed55845f14fe971ea53b5ce17d38268f796b488c036a504af0bed7f04b2d9ecfaac9d5ff20296a119aee63b8adae

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8d81164ca215abd9548e47647c63f9bb

SHA1
5ac92a1f2d1259ffb6d1ba0853e7c1461312e677

SHA256
fc5edc27f10e15a323e2d37273cd15a13d6590f418793dd2f85da0b19e3bdaa3

SHA512
7acad20558213d0f7387ef6fdec4b3c47224474c0440b01850ad5d0f38f369b0fd6b517450766d49cd9fb4701f855c76a8ce4b12d8a70e09ed5a2f7a74f5d9ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dc54355184762f30faa12fc25cef05f9

SHA1
24d4e61eb5a7d3a11e52a9b0b143135d8174c334

SHA256
2b9884a1277a4a4875cdcf433ac90b46e16f01bb3618e5a6779c6b5da778ca83

SHA512
a2f52f00d0ab138ec0d94e43960eeb88a0e16183264579ac537f172163b455e08bc32430223a053b6605a3fc3488be65d4aa980bea8995e661228683908b35cb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2ee954d8930e6107916ed2ceea1a7536

SHA1
702305f8e30a875b9790ff98aa97bf35acbda62b

SHA256
3ee92fbface95eceea0f17a6c25c959c6e218c17c9428f012367e8c5adecf904

SHA512
2fb9c6163cfe1c48a2516f79a8c9e8fb78130f96a5402cdad447f47d890942b672cb8995bd6e05e40fed3d48a1c55493fefebe865a223eaa8dd4c3f1f1fdc021

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ccf23c45f210b8a09e8d610d65ea7cc4

SHA1
aa987e1ef4223be4847a83be3719111fc9fef96b

SHA256
f60dd23c1c4cbd16291c005da147a71ed1c667166338b1118fdbca8ee1a778a9

SHA512
f2d49437aeec5f442b80c48bcc8f20439df7c98f4354d35fe7b286d21e97982bc8192693393683317457c9f3961dc12ecc81db7bfeade2b93ec7dc7105e63aab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
291f3c061c8e08353ec933392f1d4c94

SHA1
421b47a28e95489befce9b1a7a8bce26f34d8cb8

SHA256
79b4c3d7d6de29c11844c6259975d7820d40df3f35168ae47fab10352afdf12e

SHA512
7dacc75b09a7f2eae0c2c9b206f417a7dd86c02a8e7b9041d61559d6fadb245de462cdc1a89fccff0a47e325a82b7f9d8370c747d8c65c012f38412456e9c430

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
05e31ff0b8a38a0b8297bcd426c21ed0

SHA1
11fc60f6d7ddd627a8777f3c7ef2904ab7e426a5

SHA256
6a7c8b71220b5d40c715dbc4fa82c1ff2c769fa430a1c1e40b0cabd519fbb353

SHA512
d45082ea8175a9f6f626e8577bc47e9cfe569c671893dcaecf6681d3bd38aa84698988d6f3446037850061728cdcfcc431cc401140fbda3d48d1eb4f2f53a5ca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
222a2c5043af775f4925caa6908f0185

SHA1
1f3039318f76737fd887ac9941d23405c2045ff9

SHA256
7a92185d3dd22b17b9ba727a9cfbf92a3a8294b8901db8af3f6152b38e51557a

SHA512
7ae9aa29b15125548e8e2933991bd5cc20654e5d1d4c0769d655d3d8467dabff5dc8d807c678b53c860f72c60828e3c52426f0fd29d97af04b03c34b3cb5027d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
43c2b54e6aa148e1b34d55322d32c76f

SHA1
1a52772a38b01fce4c0604933caed072776cf3c8

SHA256
9e04caafd2770774d1a2669edf5cf523420f492e05cc9b791450923565ea29e6

SHA512
4fe0c30e69ffa3bdd1d058a8bcf3ef0aa048657b79ac0ed63ca490c46dfec16e94e4dca56d531a8b894ed31f10519c2ecc4bc251f12a13b13fd7a69dfec5b36e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
47158dbc2ef9f37bd0b69d4d05e5d76f

SHA1
c1aae99a0bf41e7bb6111a84c3ac74f2aabc73bf

SHA256
f244077baf599af168f136b6c9c8ce5666ddf5934f62f79a383117605a49b35e

SHA512
1db6c8004401d90960a6c2aedb25ce2aaa3b28cdbc968599eea78b20c8ab786931d9f79421dfee554893d5aa8906f34526a15234d98177a26dd36623a61acd5a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
765a0f3fe47a3a014fb818735c655163

SHA1
b71e87027ee96b96cbaba13819bc277f36361d63

SHA256
97bac037b7eb3cfaeeef7534bd280d10c57147114f4a68bc23f6b5e0748f9d56

SHA512
72eca0cee342b17cd9723da8f2776bb4972061f67d10b243940cb8fc0f7c7a24b10367bb721f5c1914d4267f2838b3c28e7d50deefbbcfd8673f8d2aa9b6d8be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e87b2d8d1df8bffe5c99c7f185285186

SHA1
5200f8ff27adf04ca909d3e072d42c49ef709fc5

SHA256
7d9af1598b0f86609d2eb50564f827175deb36d79f1b9a2c4526e95b13626285

SHA512
d8a1dad1803fb3481ce016687a5fc82829d47be413ef0f014eaa31bba41e2f891d394d81f6b6676c8dbebb850633fe55bcde4fa19e53bbb6f7bb9d0e6e0b622b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2da98a1d926ab157f7002e25b15f53d0

SHA1
f3d2ad60910991618fb7af4489bcf45bb784be1e

SHA256
14011172dc9d92e00d43297ada98569dd8176ca87b84722a8f2731ec16244fe8

SHA512
7d84f807c94c3dc4dec740b075ed0f6ec45013e80039e89fed050488546e0a2c7839dacbdb78724bde93cce4a65abb707bb498ffd06f0dfd89f32a873b99b869

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
bc3b5fcc013f433c6b4805d450ecf8fd

SHA1
71a1823de0599c27eb5bc84662615dc84b346fb3

SHA256
c1f272d61862cb0c1fc419571d8a3a3f8b8345fc2bf11f9d1495987408173b3b

SHA512
d7bc830f45b00b324bf231f65dc846d4dfd6b3da3126388970ce521480580d9e2ae48b4f53e88fefb1cf554bc2fbf0363ca646acb8ef7d684aa77bf707abef84

Download Submit
\??\pipe\crashpad_892_QHYUWHAXKKNGHRED

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1004-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1004-172-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1104-88-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1104-81-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1104-82-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1104-224-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1496-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1496-6-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1496-0-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1496-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1496-21-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1732-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1732-109-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2212-106-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2212-94-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2212-100-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2852-53-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2852-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2852-42-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3272-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3272-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3380-276-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3380-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3752-164-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3752-73-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3752-67-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3752-75-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4200-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4200-169-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4200-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4200-36-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4304-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4504-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4504-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4504-76-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4504-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4504-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5044-12-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/5044-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5044-17-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/5044-144-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5208-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5208-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5208-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5304-197-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5304-577-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5320-816-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5320-302-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5408-634-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5408-218-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5568-649-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5568-232-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5576-829-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5576-314-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5744-245-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5744-650-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5888-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5888-251-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5960-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5960-974-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6000-784-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6000-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6076-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6076-808-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download