127418b53d3d40546c245a99c72ab7c1fe68e03ee1cad9f80e98b67ad6118306

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
Size

5.5MB
MD5

9d3aa4e3211ef1f428c8dd61f2832c21
SHA1

4d167cd8520cb5cd6ce51cabfa08d12a67b16084
SHA256

127418b53d3d40546c245a99c72ab7c1fe68e03ee1cad9f80e98b67ad6118306
SHA512

ee799ed20ecbbc62be3608b404b609a7f727064128ba970c47a49ed74028bff7815e3855ef91092858fdb016d780ce7e34be7730cde811b7d7687fd4f53ce950
SSDEEP

98304:OAI5pAdVJn9tbnR1VgBVmBMBiTLMiKGu8CP:OAsCh7XYTiTBKGu8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3664	alg.exe
948	DiagnosticsHub.StandardCollector.Service.exe
492	fxssvc.exe
3000	elevation_service.exe
4740	elevation_service.exe
984	maintenanceservice.exe
4012	msdtc.exe
492	OSE.EXE
4084	PerceptionSimulationService.exe
2964	perfhost.exe
5316	locator.exe
5376	SensorDataService.exe
5556	snmptrap.exe
5648	spectrum.exe
5152	ssh-agent.exe
5632	TieringEngineService.exe
5756	AgentService.exe
3892	vds.exe
5848	vssvc.exe
6048	wbengine.exe
6120	WmiApSrv.exe
5168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exemsdtc.exe2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7b5f967bb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exe2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exechrome.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061491c3ff8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021119439f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610419853380445"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a63563ef8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f29d513ef8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011b5263ef8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exechrome.exe

pid	process
3912	chrome.exe
3912	chrome.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
3440	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
5564	chrome.exe
5564	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

680
680
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3912 chrome.exe
3912 chrome.exe
3912 chrome.exe
3912 chrome.exe

pid	process
680
680

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2296	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
Token: SeAuditPrivilege	492	fxssvc.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeRestorePrivilege	5632	TieringEngineService.exe
Token: SeManageVolumePrivilege	5632	TieringEngineService.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5756	AgentService.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeBackupPrivilege	5848	vssvc.exe
Token: SeRestorePrivilege	5848	vssvc.exe
Token: SeAuditPrivilege	5848	vssvc.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeBackupPrivilege	6048	wbengine.exe
Token: SeRestorePrivilege	6048	wbengine.exe
Token: SeSecurityPrivilege	6048	wbengine.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe
Token: SeCreatePagefilePrivilege	3912	chrome.exe
Token: SeShutdownPrivilege	3912	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

3912 chrome.exe
3912 chrome.exe
3912 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exechrome.exe

description	pid	process	target process
PID 2296 wrote to memory of 3440	2296	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
PID 2296 wrote to memory of 3440	2296	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
PID 2296 wrote to memory of 3912	2296	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe	chrome.exe
PID 2296 wrote to memory of 3912	2296	2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe	chrome.exe
PID 3912 wrote to memory of 4780	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4780	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 456	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4044	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 4044	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe
PID 3912 wrote to memory of 5076	3912	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3aa4e3211ef1f428c8dd61f2832c21_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc23a29758,0x7ffc23a29768,0x7ffc23a29778
3⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:2
3⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:1
3⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:1
3⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3892 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:1
3⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6f24b7688,0x7ff6f24b7698,0x7ff6f24b76a8
4⤵
PID:5464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6f24b7688,0x7ff6f24b7698,0x7ff6f24b76a8
5⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:8
3⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5296 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:1
3⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=2184,i,8306268100204445904,1670297729373777176,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3160

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4012

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5648

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5168

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5448

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
2⤵
- Modifies data under HKEY_USERS
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
1244658078617dee8ee5069e0696b311

SHA1
001f4fbc3c491eb3700985a61ff32305f03b3e61

SHA256
9eeb7c7a9cbe12fad855c4a1b8efbe82677635c8e6a4d76c0b60719792116a63

SHA512
b4e4effb0fae783fb23a5ff6f1485b4199e517c98eef0dc9b68f4c029b46be41b2fe2d02f1318917869be38fcc918b59ca57ae85b6375e99927dcf0d54da4649

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
51b0b5a47b108667ef07b785e7e70b06

SHA1
c251841210a0bed9beb457193376700a84c6a7ef

SHA256
ba810953d0178852c6ad33c7d2e9ac06497d71171adb21ab3e97f41211d0991f

SHA512
c7edf62850b8f5e4f4103ec4477115859faeceed23bfddc9a1bc0f4183ec67e3ec2f89fb53e56b51ac54f64e025800eca89f065948964b7d3720ccb41e5ffea0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
255f298cc8c816e1ca9037516eb2c2ef

SHA1
5a906ccd34f08dbae368cca85bdd2245537027ae

SHA256
6bf7072b950d11ace3f7b80db617013f06b57abc4ee56273446c86bb46a5e9dd

SHA512
e4e6b672906df08523397918c5f3436bfddb7a9652a5a9a4047e046b2bd243b58d8e65fe8832be7c7ae4fb4bc2bb091ab3e689dde402fe946d6ca4e4008f0d4c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
70ab49f8db8c4f2878ef90b5922378af

SHA1
eb8a30ceb17786b0a336f852bec6422f3ac8ac13

SHA256
5d1047a9c0726b21f52f7b1737264cce5fc1c1649f3ad24a20fb4f8dd461b009

SHA512
875f6a90a9ea08444c9861cb9a1576fe11ccc7bfc1c91bb18e29fb190482ce1576565af421a93257cbf66355259fa248cf03a5327f04159de68221f996ab8970

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\93940b42-fc4e-424a-90ae-8e2137daeb62.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f603c44-83b5-4875-bea1-6ca386a13e38.tmp
Filesize
13KB

MD5
91f4ed0605b8d843814f4d498a78098e

SHA1
fee7f35c41f6d841f899e11c5d7b2c87603f2a7f

SHA256
ddc625db629b9b76690b43e3d56ca6ae8e8c301ab18ece4c959db9ebfd886f5f

SHA512
5341361e40648ccaaf6756310bb020b734be5f2656e1e5a86a76c40125d6e65213fa89352ccbe0f8f97cae210ee7668db07ffde628cca08ec5bd9981ac1a05d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
ccfcb3b2ed9e0000dae8a27b5e902113

SHA1
6122b32841696a75b7869f133391e5735f506679

SHA256
3b6cf4c749c67a6f17c133934916cf8405cfe311a8f8a23522f48cb25466430c

SHA512
ec433f668aa90f8cdd5d2fe6b18e8030ed5a94fbe676d16da6cf61453c81860b8b828913386c5a164a0cff68cdedcbf81ec5672edd1e5927d2adc1613c693a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
94276f1aaa7f0c3445eb9f17e14adf0d

SHA1
b853a0e47f4fc30935ffcce34fc4e9bebcb2be82

SHA256
2a7ab0b871d76ffee2be3a95dd561e55afc93e63225ff14ec6b9060c37e50a3d

SHA512
c9721a311838b98d91ce626461b5f09c67f88ad53eb8b70d55dccea947319d81a761fae65ccacd3c9ac743ecd67e69fe098b66f7152945c5b142e289e5880621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
367B

MD5
1c0219db94bbd9f51101e46443b561db

SHA1
07b79309c1725aed48b002baab9b958c45c3d0c0

SHA256
9a1d5ce2ec15fda60041a96b106ed1ef28021f01216664034847058e7ce37262

SHA512
1355c148827b40743381624298eb476f366555c44e54007ab3795269dcb909fc7ae149b5d8f312e104fa18f1c3a9ee297de34456199c43051fbd18ebb2135cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
9a5fdb5191dae3856cf7b93b07b0d100

SHA1
4e3dfee6b68e4a87b1531407ad139f13606f2e4f

SHA256
6dd90d4a86b24ee1886031ae91d8f975650e5e025e22ddbdf417b56d5acd0528

SHA512
2b88acbc362c84fff7615617b285c1fd879792e9a95a306150e4359c0531810f9a4bab01cc2644ffd2f58b34865c9c9f7f9956a793bbf3e91067eaedc37662bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
69638151570d5f322ddb017fcffba517

SHA1
1e8e8ccd3eec606a96468121ca3cbac5ec892180

SHA256
87e81fdd95b1beeda04ed7ad10fd7f2575fe520bf8f730053e7fac5562d8e5a5

SHA512
7474fcc82408d9ae16fd7472f961a8ba2afd167a7919b6113988524e08c0d5720748d448afeaf576f21f284d157a203da9f8c80aefd9a2a6ecaffc277ccebd81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
861eedc8ec96e21af42e7337e2ce261f

SHA1
39e605c55e54bf2c865b0f2e17e6f47637b2a683

SHA256
c3ac1f7f3318f5ac1c785492a122f67b96a83c1c65b16d2b94e2f791a78f2a46

SHA512
f566539a3c7061f042794ddd682635ca09c0d002283efbce05d550e8823a9d0eb1b5b571087c64c64e041cbaf1309ff5408fc4b71d336f9c24f1131096752ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e64d0b1561a1d757ea80d8329f8cf3e3

SHA1
043cc9d86bf0a9406bf72fb9dd48b71edee88b25

SHA256
c47d900d457d75247a329fc3b2eecaa82558b9929b8d7c3cdc892b3b2a81a825

SHA512
7c7d037555a98ed8df383555d9e69b29c3fc438b98ecbc46da88a9c49546144a9eebd918e8bbef18ff4bb43ce1ae7a757765da9dde0a7e539146493ba044da71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe580da7.TMP
Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
381d5eff7b5e517ff9a68fa7792dd144

SHA1
706daf07baf9b36e7ba3b993025c003540757298

SHA256
20666c5a9ee096eecd80a108ba5a300b8ebeb7c7821f52ef353beef33e416da1

SHA512
3704a1c902495bf141a93dec5737be7b35b20b950ac89debb0cd9ff299516ebfdc06f98c3b57926f98165b13f3513f9a461f3bea80eed217a2362daf856d6dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
154afe311b6310dec3170ad3030dc9b2

SHA1
3670d3a6a62f2f872b58e3411208245108fd7006

SHA256
065210c149468d9efe7f117bd63cc5e3ea2549b605a70f500af7d80d1cecd8fd

SHA512
365e6861c5a370bcf7964e6aee3e731c3efde707922b976df268c92e5863118f432a3b47d7ab3bc71759e9318ea080f2ebe8087a93915b8df68ff7aba1c5ba1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
4KB

MD5
da2f5e9739ca19f76fb8b8cf78b97d0b

SHA1
cdc4f326257c0ddcda19f1c4d8bc7c620304edc4

SHA256
ebced89cd851b0e0b6abda85b5f0710ae68f86d00ab134d7f221abb71a867517

SHA512
a431965b78b2dab8a9daac3655559bc14d54ab2b00ccd8d8f74675a8719f001ff87e49d22bf3535cca9bd7a9af59e8ec61e7df27a5769a8f73e50a908958a96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
618297bd414286dcc3d9b3bf93aa1032

SHA1
ed6513c7a0ebd71b0d953e12a52d832a77e8f4d4

SHA256
d2913464e7c5b07357b02367bdf68e27d8f45030c0c99d1776ac79adb5d8b3be

SHA512
4db11fee8a83fe9c6af32197125405068b947e8dbd0a05e84b94e50b5ca1c68844dd874d7881cfbb9d0b991800402d5dcc2b34d0fdc8870dbb87cbc2e6a93b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3912_1858106830\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3912_1858106830\dd920f12-fb41-4bf5-a6cf-b850be401fcb.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\7b5f967bb3e2edcd.bin
Filesize
12KB

MD5
622f564cb13ce7754fc0966c49d4be08

SHA1
7d95a1b68ecc9806e8100520a11abacab18858ad

SHA256
0997c20da9913670ca6572b65af0022f141645f0a7e37b95c9b0aa093814c991

SHA512
d899907dd5e8656126cd567687c2c2c48c6241ce083cf8190fb2632e221a9eb3e75b600a8e689ec7764a5c9fad4b141425286b6eada4ee4ec2473758d9a3b934

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
fd0152a10f808ded7cc7d37fe926a322

SHA1
f9f3a420af1b12db1d941ed00ff84032928bc954

SHA256
a0a548d413bde50ae276d1b672af678b2e662b27fe9c5f74d571dd935f94b6d4

SHA512
be9d0684d0e330f4272d47f8420c8de4c403cdab97c50c51b5207867f4caa30fd0450a43e80cb84cdd1447f0eca313aefe6a098d1b5a3f4c5605c42e9d766d0e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b3113c384b701a0f5468c7c98b0917f2

SHA1
c51190e129ff413f2f0c41d1820d715c1f6f3330

SHA256
ca786793e6e3138191820e4ebf50c31ee575487dce2e86a86a59389c888342e4

SHA512
342ab27b0e63563dceebe55b23f183dfba6a56c0468ef336aafdb5089ed2407f13224d62131a91264e2cc9fcd12473db9f6eb9b062de5aa618e45ed5ed222bd9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
41c2e67974d90a2cc0373f0064161f5e

SHA1
6992812efad04c2023143575989485e36cf055cb

SHA256
35ad6fe52cee1e2f2bb0795a97cb6568ef63ee74a698277a3224a72549febaaa

SHA512
7540aa6970b4790d8c4aef4e1151058f2332c0765d8e678691529996c082c5999f201b9f0833b1809b0796e56f412b603bbf231a36743e0094fc847df87f511d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b02a92a0cbdf3f920a26a025ba4a0edd

SHA1
fef41007ec6ca4a7fcf3554fbac27f33e0cbc217

SHA256
6ecb059c9f84628b40fa35e9e15747ca321c3007327eed8d2964082f95fb8b62

SHA512
b4a1513d0e873f363d29c40cb9edc8c2199d72d138c756f0d2469b0f3108771881c939c5ad2f33a42390cd55708442cd9beccb7a1b10507990120d6c194a916f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
5d50115d1eb810d3e2632c3c27b6628d

SHA1
1bcf7390ad4c0b85282f461c8a9ec1d39bee4fa5

SHA256
d7904836477ea7f0f1e7ca57da6aaae99923f075884c5f3b740f256d10de9625

SHA512
be0d5e005464a4f46cb9d2fa3401cc894022d352ac1d5d988b51ed429c754860fd2c6fe8f693021ae4bef72f8142a343f3f08734958a4ae1e5bbd26c1492dfbb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
5d626b616c6225e6e38887fa1820445b

SHA1
018905dfb343c77a020bc290cb8d20857d24b1e2

SHA256
9a459db4fa7fb835346fd511a57d90df6055879452652898f0e0abc49bb9255b

SHA512
4e59c51624e7dde31b53c4fdde88406ad83209c2788bd49ed8e24d9063de7efe480bffcf70ac88e67dab915d34d5572f1b168a6a0d68ea3bae76a077fdd00d05

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
c6dc5c72afb09aac3f7aa4907f1870cd

SHA1
33b62b77823e2b7263c7b66ebbcd1537097943f3

SHA256
be07ccb6192b52fb2a0db6227c9748f38587f6797296d23f6b145d3e5a9363a2

SHA512
06e7d60042193296920cbea382e4cc8ffe5de14da4120a9a2a75cadb49a073933bb6da06c96686d046d5b57ae84b5d6aee528d487d4014b31b4e7cde02cced71

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4df502c1e5000a5b6dddfbc55df64bf6

SHA1
8359c7be34f092c3ba6d5b28c804b3bd5f2bbd59

SHA256
cdffb8924363967be56f33be4ab3ccb9981a66afe4c3b4dba045586c7236ebf0

SHA512
4ac23a5c4cfd44381991b94fee868a07b5d4c4b428632fc6fa666b951f6e12e088f5b10817be9e7b32cbc3eb8076f7d49eb22ba86c097c0e9fe62aa0b389b144

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
04196085cdae096f4f77edd1c7160d67

SHA1
0cc1caa5ba26bc4871c7655aab4258cafef44347

SHA256
8f21fb1a83d1fe5ad05743dc43ca2189ddd4729d871f1832d12e71beeb909d65

SHA512
01c4b577dfdb23e3165e0629295df847f7d450d293fb81d6ad5d31b062dea6a023f18d4bdc5da711546c02ac84a5f6e1073655beb3adf1f869ae1b34dac868a2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4924fd4fe73674fab008346c2316e3cf

SHA1
f3d8a7380ec2bdf7a4432e0506c68c2c96e1be71

SHA256
14fb7edecd858bb3d44bb41282766b89588ca49f2a9876319f90a523ff578a06

SHA512
863928b6164d9b36b47538ac256c759a88e5797528d559ed20bae81abf88d60e81f390ee2492355ef5a28cf549a94a3bc4f8ebc77755cd6df776b60455bce45b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
10808c02b9f254d09f179994f266b0ad

SHA1
99e70e0db0cedb367dcf8ec7cc0525e065da71e3

SHA256
5cec0431ce44258407cbf5a21923eb1c73fb7d97220677b537a857e3d8ada53a

SHA512
eb6e50a4956c649f7cfff882da13e0c1d17031f2ad629bfc7a706417aec6823e5716340ba18524b777d03ea6d7e2e2e8ddf6a9fe075e668f20e0a21634b84fda

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
92f95ca2ad902e52f7ef58bddeff2a25

SHA1
cd5e33952b61edf9f15be23e14c9410a6ee04080

SHA256
e3eec7a425cfbf90a4794318edd433255540c436e6ad373c0ff05f61657c2586

SHA512
6ec752e6b3eadeb62ce0cc592c38e1d4ad64f871d03c6080bbb0f81b5002cf1b118740c0a4bffb4e245e5761a8e0b2cb97f3ab7ca20aa3d4d5638af1d6bebc9c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
fd99dafb88be0793f1ec1a0fa20daa2e

SHA1
23776251683114a643d07fd89b785fde028ba485

SHA256
a7cef0644bc05eba67b63031a5742e4811dee593c04fa592c5d2286d04fd9708

SHA512
43501693756fac1dc10dbbde902c791c19f1f13abbeab3866324d85ff2df2a404195c17439785f64ea88577b79d1560d53957378bdd57384a853e25baa379992

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
999cd1db88c95042b840ca652c9aa3ef

SHA1
fcf28f4314f9f80e28b812f7d7f7ad384650b44f

SHA256
2631357db64abacb7b3ada4a6750006433737c6e00b30b3c0d0044932f224bb5

SHA512
716ee76cfa52a23da886cdd9f5edf122358f02096f20fde6c9fc77f89ed5dfa1d46a17741386293efbf054e35625d3f4db5d159bfddd79dfa12637c4de8adb1b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
169815d101bb8a47c0e766254912d7b5

SHA1
4a9ab789ce0df59ae86f463f35da1066d0aa8ca6

SHA256
052637c1709e461e1f58c20ac16632552c2e6936a69d5da2072cc8169f7bbe59

SHA512
de831e70671d5d6e114b1a0f691dd105dbe9a2755a17477611fea480b186ba5d61847dc9b60d499afe423c47e75710649d09c6498cb0bfccb67aee84e402d699

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5650de8b9ee9411a2351685f3737ef04

SHA1
5f3f116df68954b245f50fccdb778d94d7d0215d

SHA256
a8247e6e6a7e323c9e77e080ecaf771c3f70fe0bb56d0d47b6b6c3e5a7d46039

SHA512
32863213c6132832a82312970fe09a029c1f6061fc7768f18f8bd2331edfec3be49252ac14097a5d3539931a7804399c035381bf42863407f49f4d855c7c8845

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
20e712826ac562ec64da4f9fc6edeec6

SHA1
592a98e729aca7a70fd683c25d6b1afcd6f47219

SHA256
773728f22a651ce23b9c3cc6b4ff473e6f0c77fda69b63bb4de309c85a0173d7

SHA512
06853017c31924f5248b16cc165d810271b7242a481315eb7fc2ccd03da49ec137ab696fe53ab653e52e46a26f0d9d6fceafbc8fb9a5150572534c1cbd3e8272

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9cf151e3b83fdc6f46f248653ec62f65

SHA1
77a0ce3b19469a88552225e98abf1886c61b02b2

SHA256
97b199239690f15809a01b2dc658534ce5bbb007925057583894f85e38c5641d

SHA512
3ab3feceb5cb5ccf75a55bd3dfa15133a7b13ebed8b237245437f3b3c356f7ffb420696a93c08eecf9478ea3a8f2be6bdaf7615afc568bf8bc0e415c337937c0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
\??\pipe\crashpad_3912_XSCIQMTGYJVOBWVJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/492-120-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/492-114-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/492-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/492-340-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/492-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/492-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/948-167-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/948-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/948-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/948-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/984-97-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/984-89-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/984-100-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/984-102-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/984-95-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/2296-6-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2296-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2296-23-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2296-0-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2296-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2964-354-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2964-152-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3000-59-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3000-58-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3000-107-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3000-52-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3000-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3440-10-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3440-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3440-105-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3440-17-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3664-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3664-151-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3892-451-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3892-351-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4012-106-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4012-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4084-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4084-130-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4084-131-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4740-212-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4740-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4740-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4740-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5152-309-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5152-428-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5168-372-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5168-539-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5316-182-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5316-361-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5376-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5376-370-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5556-387-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5556-206-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5632-433-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5632-337-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5648-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5648-391-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5756-341-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5756-347-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5848-355-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5848-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6048-358-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6048-492-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6120-522-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/6120-362-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download