2015b5d0f8cb75bbb7e81bce6551571d24a53c95ff186bbd82a02b64e6449fae

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
Size

5.5MB
MD5

fd7bf0c39408a646df99395e75550ec9
SHA1

5a442337a301a5500b30e32d47890a7d7b132968
SHA256

2015b5d0f8cb75bbb7e81bce6551571d24a53c95ff186bbd82a02b64e6449fae
SHA512

5a8748760997eb72bc141cad9d65f54109d3225b1f38db91b3743fd4b83b402c43126278e9b1b3fd820b32b5baf72d7438e8c34b11b411ea05b93c78b8239887
SSDEEP

49152:+EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:kAI5pAdVJn9tbnR1VgBVmVeD5s0JXP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
228	alg.exe
3888	DiagnosticsHub.StandardCollector.Service.exe
3688	fxssvc.exe
2152	elevation_service.exe
5020	elevation_service.exe
4912	maintenanceservice.exe
2016	msdtc.exe
2100	OSE.EXE
5184	PerceptionSimulationService.exe
5360	perfhost.exe
5524	locator.exe
5576	SensorDataService.exe
5704	snmptrap.exe
5776	spectrum.exe
6116	ssh-agent.exe
6136	TieringEngineService.exe
5416	AgentService.exe
5236	vds.exe
5532	vssvc.exe
5492	wbengine.exe
2804	WmiApSrv.exe
5224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e0b474a0b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000281ec68924aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3d5f28f24aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086bd5b9024aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b78fb49224aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8f6759024aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c5fd29624aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e8e578a24aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007263569624aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4856	chrome.exe
4856	chrome.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
1688	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
6684	chrome.exe
6684	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1436	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeAuditPrivilege	3688	fxssvc.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeRestorePrivilege	6136	TieringEngineService.exe
Token: SeManageVolumePrivilege	6136	TieringEngineService.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5416	AgentService.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeBackupPrivilege	5532	vssvc.exe
Token: SeRestorePrivilege	5532	vssvc.exe
Token: SeAuditPrivilege	5532	vssvc.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeBackupPrivilege	5492	wbengine.exe
Token: SeRestorePrivilege	5492	wbengine.exe
Token: SeSecurityPrivilege	5492	wbengine.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: 33	5224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5224	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1688	1436	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe	92
PID 1436 wrote to memory of 1688	1436	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe	92
PID 1436 wrote to memory of 4856	1436	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe	93
PID 1436 wrote to memory of 4856	1436	2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe	93
PID 4856 wrote to memory of 2472	4856	chrome.exe	94
PID 4856 wrote to memory of 2472	4856	chrome.exe	94
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4304	4856	chrome.exe	99
PID 4856 wrote to memory of 4568	4856	chrome.exe	100
PID 4856 wrote to memory of 4568	4856	chrome.exe	100
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101
PID 4856 wrote to memory of 2116	4856	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_fd7bf0c39408a646df99395e75550ec9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e4,0x2e8,0x2d0,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ce9758,0x7ffee7ce9768,0x7ffee7ce9778
    3⤵
    PID:2472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:2
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:1
    3⤵
    PID:3368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:1
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:1228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4636 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:1
    3⤵
    PID:4976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5648
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7d1ec7688,0x7ff7d1ec7698,0x7ff7d1ec76a8
      4⤵
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5828
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7d1ec7688,0x7ff7d1ec7698,0x7ff7d1ec76a8
        5⤵
        
        PID:5848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:6044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:5248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:8
    3⤵
    PID:6112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5216 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3868 --field-trial-handle=1852,i,2016448156383548189,15954101645449406976,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:2016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5836
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 796 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
8baeffef96a3eabf2f3a50ad20117996

SHA1
a7159c69b7f2d3d3aabeb191e761ee3062d4f743

SHA256
14f672562a4bddc738c3eea0ffd81cc7ca86fee6c5c997df828d192f0ada0e18

SHA512
6bb1d49346d52a01766f438e9bbce05b37a0357871169124e0c22d00492a4a60d8dec18dbd0b92a02d93a3febc0d1411f2f78fe5057ba8a1da0717b68868b148

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8eb3c05b5a40fae0a7719f8ecd63f8d5

SHA1
3faa3147abdf1493882198a4be934163ccf35490

SHA256
c1d0d8df344197aa832df2f0531f3dc913ca912cceacaef4a8e0a532227a3d73

SHA512
050059b8d15ccad960deb37365ab2eba271a4b9dfa1da53e986037e0fee0b959690bbf6ec4c9f107760fe9539bd6233de75fb50201f1923fc65524860de01fdc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7d24b9896eec13c25b80681e5a3a3096

SHA1
f11665eb07b8dcb2375547e1762477c8c88aa20c

SHA256
d3f7155b360d36421cea6ab58fe448ffb9af3ec3408f6dc559caac9476d1c7a7

SHA512
d658eca15f12fcae02d81549852948d9822df744d377b6c460d6cddb587c02de9f3a516064781bb9a900e3719579ae5e67df4cd70f9f355b3f73ed7bedde60b8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
51f89b02f2159d4b9c7e20062991c35d

SHA1
dfca3053527e5ed9cee23f31a8cd6ba7b060f78e

SHA256
1245bebe6ce6668865ff6a017c72fee6dc09b7f33ba4d75b65e9d3c3f07ff188

SHA512
3561ffd4f0c4a93375cf056327fb8db079ee15d5cbd453adf3e35f63d168454d6e48582d36a2d33b494c1b866a80e8968c79a9b0adf1bd85ad1ad207ffb47e4f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7ba591b8003405b3bc2919683eace87a

SHA1
eaa9044b551e39baff0104e1b82d9abe5c424f8e

SHA256
0ab7da8ae88904f2363d8b321749d463b14f9cd44f95a9830ae055d297cb0352

SHA512
f351a128c999f2412752f375d316476901d58ebea8db8c7f42c137a6eee2cb1b53a1286708cb0474911ca9168d892c2f9174034b68087e86d74493c0c9df1df6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1528ef8b3564722e9a9480c3d1a91687

SHA1
3e343a4647852d09a3f51ffd992196f47a759282

SHA256
ae046cea68d8ea850fe03c07a607b239416869cdfb328aed496c9e4f4f9dd977

SHA512
d9f9f9797cb7e4c5ca7d57a74fd7ee4079712746a2ac463f1df37f0a8c152db139b1e512acae2dc9347ca284ecc1e9a82a822df83fe4a41c49cd80e433cb22a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
2c4d50a311c136f317efc1d6840c8032

SHA1
fd27d491d19837a3937860879ee263ea1f25fe41

SHA256
f79b88d3b985bbb35743acf8265d5a2b49164f5f1d717db35da25f2366caad2d

SHA512
31e088c4d0f0e26aab7b4e5bd37a3bd3fc67dcb8bee57a1b9d447c6ac5b2cca44db9ab782095b9959376d4b00e13ae9f143f005c5220cddcf92635949359f008

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4a85eef1a9c5d2d79c9bffc4d8dc7f3

SHA1
e909a623392a3b5f420d818b0a67c89f5f9a5a61

SHA256
99ccf3433bd39fcda74b2892441440a0c370c9ecf9ca112c37a71260751d6930

SHA512
c38c78f8f305384575babca91a9edde2ce77ac3535761f0bafae92eb9c625f60f6295cadff1dde7176dde72195b14a2667d5d306ec3da99a928da581b06f152a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
1c2bae308ba0d5ab03841c53573367e3

SHA1
0755d5e1c4bbb6743a515bfadb9c69cf2ac39c61

SHA256
04eca35fda5e70d8b12ff18fe4ac2c86dda834314f06c00669e9b1ea848871eb

SHA512
0f23408c865962638c750f936a0dbc1a684144f26b386ea2e8e46873c9844322a7de6fe409adaa0be38c5c5dc5899720dfe3491e5b800270b352cd96a3383a52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
19.6MB

MD5
82d7582d5714695d31f36ecc045502d1

SHA1
daf13bceca54bee485faef1d20034c2958902e7b

SHA256
b27a1bdba9409de0fb69fa9394a604022cc4eb2d28a02b05e34b3a345afd7cb7

SHA512
694641feaad257b17fd03b96862e8bc3b4fb49b041951c5a0675914ac511d2077f7de36900da817f3a51753540a6591a4fa4dd3f31f4fc8ed3f7bc54954a1a52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d090999a001c1f6012b82d07e2a8e0d6

SHA1
adafba30dd15714ee0ece6ee1fb7d183c5aa63bd

SHA256
bb161af1ff26929b18a54ddb4e13ba53cfd840431df3004939e71221996d8a85

SHA512
113c1b6222498c609b660ecbe10a362b2a93981dd06d2a90a415d301211d42e2aef29f6bd0e0eefadcd3ba37d3a02e54d60945cf9ba87ffdf02de108773ab50b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
c0b46cf5c4f4066bbfdd028a42c897bf

SHA1
9c51010e198666d39d97894b1a7c60c9b04a95ad

SHA256
9b9b60db2f4860820c7970c24671583b3b99f4125f3d8030f84e7e2ed6bb778b

SHA512
12dbe34e573ed51a2ea6b23a59294dae151c27d3493462f00bc4cd88107585d0052da7a354040170059af8411a1582355e34b31847901671aa21f6b79acbfd94

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8c021fc9ca1705eaace925c8d8284a36

SHA1
fe4f3ff320f84fdf2b21d88e3105020543444776

SHA256
2a504c85bb823ee4311089432fb85bc0dce0703fa0a6c717bfa9b3a328827a9b

SHA512
ddf7bebb17c6f985c415f272ae59d92b375ef7d9c514a6793a68886e0c7cdafaf7ea8b775e36c93a587eabd7ba99178a7fff618ea74237d94c3556f617a4b363

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\7c83fb54-3f6b-4cef-8507-3eb470109213.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8884c76008363c2f56124951e58a3f5

SHA1
d88616a96bccf6b03219c3bdc70a9b14212839b5

SHA256
85e4b851bf3e04e88297b5fe7ce08048d21a64b5a4bf6d750512a03b7033b147

SHA512
bb92ff280189ad9ba19d1ef132545d2f5725b47684110ff22f7e7e14816d2ec5f8b8a5d04866ff5e168b58acd490c249280ab6c23b089c4270f4b0d28d57e58d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a8b38fca71ca854a978aa92f570e5d97

SHA1
018723ae14eca404ebfdd3d7a91d13b51fee99d1

SHA256
74d7fdb8f25f2b3d17f7c715d816d40ac8f37344d273b9a1d9ca4de386b0e011

SHA512
fb6ac76bffa5b140ba532386661431ef8054b303d6472dadc8f4ace35edb3de10052783314aa7a87039e24f3f27a43318cee00f776c819062b995a2bec9baa19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
7fabdc2638d4ab96428e870c72d6f6e8

SHA1
c129eba9ae3076d57b4de80e72a6b66546536314

SHA256
87553f09d904a794a375e4f1fb8806312daedda15dbfd64ecf1434532833d102

SHA512
7861b9a3a5e811fb91f12d41c5b6223dff7ea49e4dbb8898087e91179804d109d8581f883a82560509b11dfdbe8dd2f75b8479f847a990eab9eb33617e17bf06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0c130437ab19d6a0cf2a00c39613d3bb

SHA1
911ab986f093dd8c60ed00367dd509c1ec989da0

SHA256
4fe02b467b793151958fde29e0c42b4a74889740235240579ef9e582db939585

SHA512
bd69e1030211c23148af776224ee1915c79056b10edbdb2da12f102fb4f80674588e397267d61bb907d28c9f47eef18010867ed715c050fd2be370fa9b648f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1776ba4f092c9b96899126d1f0c2c07c

SHA1
3dd369a62184b8ac019f50bedc2abf3e4df370da

SHA256
e19d15f31bb61ef0f7d5173ced4d00b998294ccabb54bc209ffcc61de87b8ca2

SHA512
a0992c2b62ecf815f84d26ff5d7c77363d44ac5852173e33fbef1903903038f70edddcfaf4292cefb5eb1f7f6ffa2192f47fa393c7881d44f0c4ca69e0f85387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c7a09daa86cf9076b61cdf2cf7e31cb6

SHA1
ed3a2c6bbeb493eba41764ff51f0272a85879357

SHA256
b535027ea21ab04958c27d65d0a9c2c222fcdd0a315f1730fa9f917f7fe92f1c

SHA512
057277e3ef4752e08cb8e8e5d2bfe061ef46357b771242f5f6436e60340a3d017458b9124415cb5466c4adfeb701994f363e3c7d24fc1f9abce49399a0020a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f67c6dbac643fdf1f02235946a0c5c30

SHA1
32f47c25c723e4e76fde0d8d463c1cdd929b93d3

SHA256
b6ac5c8df3bd7aabfcdd2cb17f630777605040f5c5c2fc00a5cf785391b1609a

SHA512
f9f09cc5fe4d0129460ec6994734fdc728d8c4379ce6af425a3d37f79e636c54d824cb982f3131c0af9a31ecc1133c60a37a3dd63e0ca417bd88887f3c83509b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe583e3d.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
7d8618fd57de0ac790a431f61a939557

SHA1
42277f27fd4c1a077aad333453286bb0dc799484

SHA256
cf2660422f12df723bc41427c560dbd4e29e14a297d84e81ac9554a72a900007

SHA512
af8c787426d876eac2a9d225ded6df1fe38cb22abc0c0209b46b2f01943f47f0a92f99f000983e05dd227a6ba421b39d49ead8ba17db48167582cb90971e4cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
11aef550e67c98794edeea18ef948caa

SHA1
d1da11854160fa95422ecc2b6c27d323e4f624a0

SHA256
baffa81326b803265f2fc62b8553b623d9b62cdb7762711ac8cc7877f3fc40d0

SHA512
2aa29643f4ed5fb16d1bb2acd4dad51d284f58dca9d18b3529f292d4500b95bbb6aa8c68aea4f0a745d939f6e06634548d3f820cb9b3df0a2de1fe8415d75255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
57460ba9be317a243c713e0ae4405486

SHA1
1e6b65b15b904d92f845cd558ba7c984fd75ddc2

SHA256
2a122e249e461eca6ccc9cf85c96d54849745aef2d9aa9b1a0f5833e1a0f32ab

SHA512
cc0fb16e76708bdbd516f150d88e5352d2282ed7379313f34d8c386e6f027f895dfd63734682d74f835d587a87acd72d19ebe9b225d3c92bce0197c6a13c3e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
e5e82b2a41b83933dfe56ca67b408a81

SHA1
ac91646069e5c7a5cd911d31e9a68c372dae5137

SHA256
0d1ddc773a15c13258ad43adce9b82879cbf645f7ab496f9f75c60483c0ca16c

SHA512
0d61893b73f0f49574377344019b4b40cc84303eea62a6937cca8499f3f544c22ce8c525851d3815c428a6d271978216b8b0637b99b8962dc1eeee0bab52cb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
1080549eea612aa8afec2238c61e7046

SHA1
097f25340e992a35e2f770bc06614db49b964e46

SHA256
018a10a5ad624ab00540775619f53954a78dabd717220b9bba39c49df9e26059

SHA512
ce15b4081b8a7b081b04ad453ea9a0fcdee105305a0fb02af90cc52da4b894bc5f3ab6fff3e6d5361bb877726c2b06b12a50b5df7114b0b20b5b8b29a17ce806

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4856_1845385692\093571b0-8a8a-4877-830c-b211082e4c3d.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4856_1845385692\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\e0b474a0b3e2edcd.bin

Filesize
12KB

MD5
2dc8cda1f433aa5602272a6b1af9af6f

SHA1
5bb54c15a4775e570ab20d896d9364c9e17e9c67

SHA256
2eb25e9b7e23f2344c3c94757d551c06d83b493df0d6aef2701b259fa45750db

SHA512
fa8d1f4f95f61a0552797834cc1fc6323f794a6c463ff28736b77b0e8ac9ccf91b04409b7880182b244094078252ba4c961670c5723ed472bca479061352f4f5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4e567d3b62be68930c78bac05a37c210

SHA1
ce197a5df436f6d5af57640cc4d799a20956e7fe

SHA256
6ca7721cdc5e9714e6b4e0146a51cc1053f54f71b152670cfe4ddd2584f199a2

SHA512
f585183967f2039285fb2a9908176683e270ec9dfc12d419fd18988e45fdfc778c28966406dad46c4bda404b3a7a562582297ba31b731c156c23d19ade2f76d4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
08113e1c2cff5ec45f7eff86613096c3

SHA1
0fd778f4be189293884cbc7ed4742cc6ba8569dd

SHA256
d910f06997c51896ca14c75bc48b63e213c681f73264a9c5175d41d565009335

SHA512
865b06996aa85e8e26bfe29f679e79e3716c11d6962e2e7d61ce52272955d09cc81d55f08bb011c3693cbe1a2038298dd3c5e320621f142c4d12bb8866e38d7a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
167e28a3ea0dcbf3751ab4d1ae125c79

SHA1
96f4632cd963d4f2870e9d2aca2909df54f053fd

SHA256
f85bb26bd2afeade6a6a3641b73585dea3fc4339a1ec0e2b8c5977111440b9bb

SHA512
a1690f7f42de7b4e55f96d8fc8c368d79e9419382a735916a9c69ed9ce67e972b4ea494cd94dbb185bdf00eeb330cb2907f01b2443199d7f8c1c2eed6678f8ab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e759473af45069e19fef6b5745805bb

SHA1
0e1166fdfedec2044d158b4e63975e48068e90e7

SHA256
cfbf92f5d74f149f6cc7e9634e076e5f469cf16795295a95859f0d8ebe282df9

SHA512
6732ae9625b191732040260f1e65e724aec9860de6282b52a2af6d7c870e0bec0be8a3880c07b6b84c3c7fd6824b8abbeadc03e1229d4e754161d6b576effb58

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cc83e6438d49c651cb4a2a430a8f836a

SHA1
e69d6b2d21bed199c5d7044e23991ae3bd0e49a4

SHA256
422096ddad5f53ad2df5abb5c57b18e7835fb3bc0cdb987f7820311dff98318b

SHA512
62fe4fa9c29713b96b669b828bfa08032469fe649a5938465dc58800cabd3128b451733d5e7b18390aa8d733a2ac3b016136525bb72651a5b21930c0236344b9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
95e4ab7d5473843f106fb39bd2e7ec0f

SHA1
f04d4c585bae32483cec73372a57650dabfd9140

SHA256
013c59f67cb1b3b52ea56920dd123987355d4aeee1ba1bb8292b5121d6af277c

SHA512
0fad2c6ea74720b1405ae961195ba5d32a60082f7697ab3fd8380d2868e20a507013f89961f0786964c58cd8119e5c09753f18e9fe766dc4c4edb8e3fce5a220

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cc47ea5969a2503c98cc0cf11b020120

SHA1
9e598d309a6d0cefba5511d8f8ce6aa3f0050aa2

SHA256
04f43b6acddcd4fc653e587d7d73ee6b297d4bdc2993415a3a12e096fd801b81

SHA512
ab7e5102124e7b45ff063bfe9416154d0220e5530ee60240ce4e6e91d70416823a6a2837d95f93d934cd5f6af08910475cdb8e0ad4892ad229c9c246c719ac00

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7fcdda92ac974dc00637e22296a85600

SHA1
ef15df2edf0574f57952b18f6aafed49564579ac

SHA256
ec5eaf0f5ebe688ee7871f05c1207fcefeaa211ffa6277acde5be4cee94ce992

SHA512
c3e18533abdf7f477cd011eb71fa97d33a2310b32931b7c7912fd33a789061d2935ad0338065a992ea4f9c32b544729d92a1d9cb70edaaf12460df19b625e326

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
781ad3533f11fd1c95fedc783c96ae61

SHA1
eab8610e03c72e41f786d74a8db2fbed507a23d8

SHA256
589a466d3dba2773a61cf966b3bf085a4e0b2ef02911039490cb4d5223e06604

SHA512
5b81b05b735a0c92ac499398b46953af4ed927e5b37238564e0a74263ca49e79b8b21fc2b537ae69fc74b787b870006a2d30880427d5413debfd679b2da1365f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
51d4f63852ad5035a39e9b2dda476137

SHA1
129d993f0b7a1aebc3204c30dc3359906fd62cf0

SHA256
2b37c5adc957fd2885d783eae3dc7a91fe1dc952c80d2711b39120d99e9909ef

SHA512
8cb3257c8a4078da821f8d98f58eacdd7c0fa8f86d0d12c89cc4c99b717235b996d3274b55499ce968ec28e36ee72e915c9fd76c476fcfd755bf8191f75e38a3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4bd7f5f804171e97259caa744e6cc359

SHA1
fe164cd97bd5c123af977cd89b6ef6783a58de59

SHA256
5c2fa476336d1b77a0cf462fd953f112ba803c77a8639250e07cd4882cfbae61

SHA512
9737d35c9d66da9937c5f83308a9813ca2d885fb61a8090fc3b4f8992efa38143ef2cbd7e81e1a8af18c80835c4d536e79dfd56a4b61a022176133af7c22b720

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8c69ea05fb498cf1b061d771530db94d

SHA1
3f3c42a3f955c78d075df58760798718b6754371

SHA256
ce0f14e15d01c2c58a6b571484a8060cc24d79863e12697d44c49fea0d926df8

SHA512
3835aa6b904a0daa6bee9ce3ec20763146b53501db24a8f9adc206020ca49c43bc99069aaaa7bc6ff040f73d9a171ae5e224d9ba1aff4623642304cb6666b298

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2e559a1472990aaf70c7e6594340c41b

SHA1
0c024b2412d3bf534849e725b9687ec564c0de41

SHA256
78b990a35311fb956958d453bea45ec7d8848d820e52119c39d162921f99fd03

SHA512
b13daf57a451b6cdfa34b139172a67dbcc07496294f4fd3ba16d039813bccb790b5df26b850f2f5ba25714b7b4bf300003d0ce955c64f1b0cd8d21a4b143e6d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6365a5193d9d55137a744f601d269784

SHA1
f64a500611e6899c4420373ed69bb6ff125bb66e

SHA256
ecb6dbc185db5f655778fbad54ff1097c37b0e824c2deddb020f02f08a5d50b7

SHA512
3bdbadda83c98b120f0fcfc3914ff7369a9db1a69ab44384596c23ce03e34ee9edbfae2c855927bb29b7faf39870c3c8a3223c3b1ed98094c1aa3f20a1ce7c98

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a4f81858e8b2e6c8619e38744abed908

SHA1
6aa2051aeb69aebd100f59a59bc4d16d17c13d02

SHA256
488ff6477c274d130988abedf53c9df4952461329e7fa4c4953886c5955c92d9

SHA512
57f65d12cb3fdd640d594824adcc78faf5cbb9ef9e9851b17d31665712c198dbf12bc58a35f21a9c82275ffd4960a5683e47d9fa53e1586109db1510a1ecb2d6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b2f560f6b42aeadc63094509c549a073

SHA1
3564b0cd1421ade5fbd83b078958a2c272520dc4

SHA256
a67ff1748559b791f74c8075f0cb2b87744a392356dd7121f5ce29b9ffe9a077

SHA512
91aa847cee6b6a8ddf4f012bcb5e23ac014730a62b320adb0e5e62178c07f45cd2f577a7ba196491e14eaa8f9b69c65a9a0c54aa1aef794adf94ccbdb18f8b6a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b55039e6c9264192927360d9ef955c8e

SHA1
ebaa42ac2416ec188fe77da0e4a89cd44d87dfab

SHA256
38c374767359a2c33e401a7d56d704b4450cb4feede6feb939837aa435f81ccb

SHA512
21bb0c1ea65452b4f89e850c211e5ff0175838a9bd413f8c4a1e76d0187ac1df50fe34e4a61f2f8a6746d807ee94df45f54f5535958ffaf5c541c7e06b9f94e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5f7e4ccf4c65b8af5e010cefa21962b6

SHA1
4402d3cc6721398015eb8c7edf548b77ccb7b740

SHA256
2c2c5fd966203ec7cb16f1f32716ff1e8d84318c9f5cdab05e3205b4eb6f78a0

SHA512
d4b04936c3efb52588a99caf187756f40f65f455a2e72b80e96c2775902e5527f044af28bdf7453733b1a467de6642c4291ad1e0d8a9832fc2dfd7f21d86d45d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6e1e9cccf2ffc5a1a0e905dd6b8abbc6

SHA1
0d1a72cc88ab83ea8f40c941cda17576bf6506dc

SHA256
fdb8dd915aa5f340e98e15fc430be05ca7ec8bd35933d365ff387c1f1936224e

SHA512
6f09ca7b9e3996ec37e42ccc9783241cb304b0002642725a283fa7ed8d619e907703c14395ec72a188be75f7e48ecf71f71dadd039fc745f3bb3251db29ffa44

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c92bc36acb8cff1c88576dae49fc4ac4

SHA1
09518aa8bf21749559301af55fb0d3409bccedef

SHA256
fbde4b361e2b602e178166a49667698485b1358f2da2a6c2e6e84e25141c3993

SHA512
c1e0399f06832d2f461b66b40f8c40ff620518e0e757ded8a8286d98a31656bcd26c4641eb12bfb83c2d747551d71c84fd6a5df2d8be95686f65ae569e17734b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d4845bd35899132038a5e8c554381161

SHA1
fc4f44a0a443366caa900d71e5f8dccd0c217f71

SHA256
6e0e4ad92122f92b900a7b6365aade2467a97d5c7718247974722cb4a1472fb6

SHA512
babce2d1bc08409ce3a0f0cd92e47977a9c31f2631483b3963f2a2aa4fc2069b136f8c6836a1bfeb3f93e38869bfccbd4adda853bb1a2d247ae279d987fb8821

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
637f7a61fbcf163152f62cb59c6684e9

SHA1
22b956889cbd5df85173434501177c7161270675

SHA256
b62d63d4fb66e513c204704724e00f3269f6f4ae1d45281913e68ad497104741

SHA512
81edb3f036e681e69e84d1fb0f5d6c62d5527eb1e69e94623ee3aa06f6f26a3dfca3d41c00cc1df6eb649ee9be3ff647490eebf2bb4d7a7b2cf0c32c995ec13c

Download Submit
memory/228-34-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/228-155-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1436-25-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1436-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1436-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1436-6-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1436-0-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1688-10-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1688-111-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1688-19-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1688-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2016-112-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2016-342-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2100-123-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2100-131-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2100-347-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2100-129-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2152-70-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2152-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2152-68-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2152-75-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2804-668-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2804-361-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3688-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3888-37-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3888-38-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3888-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3888-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4912-95-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4912-93-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4912-106-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4912-104-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4912-101-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5020-91-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5020-230-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5020-88-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5020-82-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5184-135-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5184-351-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5184-136-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5224-370-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5224-681-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5236-507-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5236-348-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5360-356-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5360-156-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5416-343-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5416-344-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5492-357-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5492-663-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5524-176-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5532-534-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5532-352-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5576-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5576-369-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5576-376-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5704-197-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5776-212-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5776-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6116-233-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/6116-442-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/6136-454-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/6136-336-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download