798965061d73a83305418cfd1ae44da0fa9291989d5c4f30d62d979cfcdfd5af

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
Size

5.5MB
MD5

814e8cbe828fa002b4eb4ef2918ed15e
SHA1

c51b7075c0bc9587f5f4caff370572933e232b06
SHA256

798965061d73a83305418cfd1ae44da0fa9291989d5c4f30d62d979cfcdfd5af
SHA512

c0165d3e5109d799e01ea2a7f058c15a33d52e8acffe2117590af46da3ec85bd254c886426f938839d16f7eda3488c7f5e330451c0b86cf77a81075d86b890f4
SSDEEP

49152:FEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:ZAI5pAdVJn9tbnR1VgBVmSEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3852	alg.exe
1736	DiagnosticsHub.StandardCollector.Service.exe
928	fxssvc.exe
1144	elevation_service.exe
4176	elevation_service.exe
4936	maintenanceservice.exe
3644	msdtc.exe
3532	OSE.EXE
1980	PerceptionSimulationService.exe
5248	perfhost.exe
5280	locator.exe
5364	SensorDataService.exe
3232	snmptrap.exe
5140	spectrum.exe
5868	ssh-agent.exe
5952	TieringEngineService.exe
6092	AgentService.exe
5152	vds.exe
5288	vssvc.exe
5424	wbengine.exe
5852	WmiApSrv.exe
404	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exealg.exe2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\88ee9a8eb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ffd1548f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7cbe748f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011a13d49f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eef9644df7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d007e49f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a47734df7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exechrome.exe

pid	process
2252	chrome.exe
2252	chrome.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
3248	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
5544	chrome.exe
5544	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2252 chrome.exe
2252 chrome.exe
2252 chrome.exe
2252 chrome.exe

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4820	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
Token: SeAuditPrivilege	928	fxssvc.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeRestorePrivilege	5952	TieringEngineService.exe
Token: SeManageVolumePrivilege	5952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6092	AgentService.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeBackupPrivilege	5288	vssvc.exe
Token: SeRestorePrivilege	5288	vssvc.exe
Token: SeAuditPrivilege	5288	vssvc.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeBackupPrivilege	5424	wbengine.exe
Token: SeRestorePrivilege	5424	wbengine.exe
Token: SeSecurityPrivilege	5424	wbengine.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: SeShutdownPrivilege	2252	chrome.exe
Token: SeCreatePagefilePrivilege	2252	chrome.exe
Token: 33	404	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

2252 chrome.exe
2252 chrome.exe
2252 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exechrome.exe

description	pid	process	target process
PID 4820 wrote to memory of 3248	4820	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
PID 4820 wrote to memory of 3248	4820	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
PID 4820 wrote to memory of 2252	4820	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe	chrome.exe
PID 4820 wrote to memory of 2252	4820	2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe	chrome.exe
PID 2252 wrote to memory of 3032	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3032	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 3636	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 4732	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 4732	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1568	2252	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_814e8cbe828fa002b4eb4ef2918ed15e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x268,0x2e8,0x278,0x2e4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce9709758,0x7ffce9709768,0x7ffce9709778
3⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:2
3⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:1
3⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:1
3⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4716 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:1
3⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3736 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2648 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:5352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff622517688,0x7ff622517698,0x7ff6225176a8
4⤵
PID:5432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff622517688,0x7ff622517698,0x7ff6225176a8
5⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:5720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:8
3⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4920 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:1
3⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4544 --field-trial-handle=1860,i,6897255737341740502,15408029228962744247,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5364

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5140

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5852

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5620

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3460 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
b973226af2e98b7f25df116460c1e89f

SHA1
01d12b3855b69d76efe34edca87acb91f0eba0d2

SHA256
e8fc36793386c172afe7675b1d34c8e8f439f8e3ae6fc1ff2882866840ff8670

SHA512
0a663d12f4f6ce3fe5077279794a77384e4e07cf22ee158e4b1c99fe53a9766699c82117cfbeed566915f375189b8ecf68c065f66f003f6a69e58694653db988

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
c4396144c68a4d6ea1c9510ad38b2f9f

SHA1
afd26fb7adbd1b720ac79b837f44c6bf98cc8bf1

SHA256
88e55b85f691b95366503f6aee2ddb02acc51417d675bfdf853b8fe4ffbb5cd7

SHA512
354bcdbe045fe30b8ae794a3976a4b4789e4f51fe67a37c9279ce845c8778eab2ab92e7def850e4567d23edaf5d9da8855df9fa81a9867034a2470d13bab5426

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
82ea8f0c9a16b063c4e6a1c5747a1595

SHA1
c4d96d13809fb7e84054586bb74594481df55916

SHA256
c99387f811f812e6d28695064dc67cda2e19ad9b1b004ee93c330a06bb88bd92

SHA512
919e20bfd530b325e0d281cf28b509bc9a86fc87a909c370022e5ca920aecb1effddbbddac6d4728845054e8258ce3dd56d4201032602754837c91992b6dafb7

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ac95b10755c59913a8e7aaeb64d45476

SHA1
cb647e847e21d9a50c9613a709747b0fd69d01a1

SHA256
8f441a1fca27d4baddc31f9196b1407587661b0ddfce78af3745dad2bd2bd2a3

SHA512
0651a5b1fc0b0f661ed2d75a52701510bc725ed9bd8e9e0bc1c5cf9660eb4f76c4063594bf7d5ec604c5db476ebb091e819ecdf2d8469cce0496aa858925e9b1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c4ccd024eacdf701efd87230730be997

SHA1
b78ccb10400f5d30996fede7dca72ce22d1fb2f8

SHA256
bdb2a95f6134d74f2fa70fa1288eb40ac659ac873571275da6c673a7dd289f4e

SHA512
bdc75c8733275328b27e2474deffbb8ade4bc55d17f83c72e732761b221154523ab96dd9e1c2a8958657f527886b4ba2a01384a4ad9e66ba9478f5352f982eef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
7f4b51af3057c2abe0d77b1e88a2b804

SHA1
0197e7c2060f3a4a0788be7206a8fe45ec25182a

SHA256
7a6d6af313de037dc108bcaf87b52599de536048b37e1e0324ee5fbfcf4ecc31

SHA512
e0660586e246d68caa8eeb9de9cc74fabeae0e1b48c2b3d94560d5e165da9090c15736848de42840af996c57c666c757980bb55d654a7ad8555fab39210dbdb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
3faaa7bb55de6a828b54c2360524f8a7

SHA1
ac0897b2a9e89763dcd485c7c679e19c5c698763

SHA256
98b57600e742477ed4ad216128dc3166c932bf518d5cf413db64b815a568b14b

SHA512
040cdaedda09f302d51c0de0a0d3a55c653c65003a5bfa9ca3bf37046f2d938cbe51a2a6cf79b273c45fc2f4abbc6296f7885f7604d95e425bd939d383e859b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7e71cdc7aa925a4e69588e6be610cc2c

SHA1
d535abcfe0d7089dac75bd6443fc79ebc7990f11

SHA256
9f53502a8516db34d41d8cb1017a4b59cc8f81331391926c944f0efcca4dedb0

SHA512
74bd47730cae283025bc4714fee76d79b1f83eae29bb9c011ba1745b689fec2433d7d0b1957dc2efccc946376f4d4d7babd82540d71f040ebf0fde27dbef93e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
93543403ed43b31b5ca8a3b6060940c6

SHA1
e92f878dbf70cdf78bd27e1feab1d9f9b02dd79e

SHA256
8b32a64a8c6662adff67fe1d106f884a932a09017f406bfaaa2f84ca9faffaac

SHA512
2da27ee838e03e8369cdb34486dab67944d8c59476541eb4c449d3f6955d4e3dfc42ad51c1f24d1e88de74ea06f1c2b4212b0d9aa0595e066144083f2365db39

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cafa1f707d865c04f0af685591fb3622

SHA1
009ad695d7068b2d15f32e77f6360ff64e4b0c8d

SHA256
1ed7e4bf8405e55faa0461eb98064b051619c4d686ff6718e9a841dd3469b636

SHA512
7a0390c13444f83234473ebe26e5dd00d2f2878e3a3dc3003402e78f3d37501ef09f6964aa3bb7099ef5a5df90eeb19fd74b1bbf869a193307e85d68bee74408

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
bc7d8b2737bd8205b9146048f8c7ed00

SHA1
07f22f774690329851573955b1cb6450fe5b7db7

SHA256
d71290e5b8ab6548fc4e76b6e44a8b3b98922315a71dce980c3322c0cf5ff289

SHA512
03ad44a4706466234ed493450a0c44470bfc337ee698c66dd192ff1da673ca1752895ec1bfa0f6266dffba3d292fc1153c646f6f5150cd9847bafc7a7d14c551

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240524162650.pma
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6e39765bd72ca20369dcdf79c2446fea

SHA1
852b7a987d469b1b7422a52d8efbcd94c823c76e

SHA256
9cc89cf62f1ee2a3251f996009adf355bffc53c815fcfac90ae3ca6fab070c1e

SHA512
d96853af46a8468a860756d9fde6eba94f63d3539893b76255f91d4f4c2193b7b3cceda804c6246498aac6e038d5d6c058aeb2b90b28e656d885d20d1d9e2b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
12cc2b325d088c33d8e16131fb0202ec

SHA1
c3f93b7d32b13e48c9614f946752a6b5d2358a0a

SHA256
bc67f741317173e282c5d97c7b85de06b032bc424c9f77f22ee2902a2b06089c

SHA512
57885007a83d4e6eeb29dd95d6a564c3afd49c0a70be8f9caa7f2d5791920678e3f03660cdd4d258d1fa6e3cf29df521dd01a531e0fe34bf53028d53392e7e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
ebea724c473673d7e864c55bf2f1c5b0

SHA1
fab5832618da66d926a7ba52c9bd49c1140dd188

SHA256
de2d9c227742d6d35ff58ef11da1d41ab8571aa3763bf8727e9afa4c72a421e7

SHA512
4b0bc9208e5364913801e648e52031dc66f89a93e3d91170fb69b716c7b91635a0cd689c89f22fb245b7485ab828868117e2b23a0442fac0d8efa674681b8b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dedc7044bb98af09c20ef3ef7afc0db5

SHA1
2840ec422e234d86f214c10f67a7dc1b9d801a46

SHA256
c664a989ed1729d859f9b8e907b0b6c85e7f38dba4b611b187a417dcd2520399

SHA512
e20dd45901d35025bca3e0cefb28884f461277c6c9abd032499138b2b772f366a997eaa5736c44a2df55da3e2eb0a23809a69541545fd84ee8d004b2d6aaa654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
7acb56f03e7443f10383de81f379d55d

SHA1
f9832f3671573cdf8de3701f2792920ff5bd74cf

SHA256
3933dd158b656cbe5d83463c54d0fe3bc86d20b1727f03015e64481937f2cf6c

SHA512
2ee628bf2c53843db9a78afbbf8fb7c01227a33cdc1196dbe989343919161a9da4ec92c83dfbe0d17853e8953858952bf3a420aafebb43fc1110138272123957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
ba0dd9855082861b513875a59c1db71c

SHA1
58575eadb815d3c6cd241e37470f89ff707230f0

SHA256
31ccec5f979688bb830653466e11e4f52674aa5ae536930be2a9ffa33aa9094c

SHA512
95d141cc897da08c391ff900810a1c2fab9ab8fa3a68d09f4e0e20f4a8630edce4496cded6730b66ec6f246e3d943e0e8a1f88009b71c1de9fe30470d869c869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
8f14f972d49b04842c4a7db83bc1b942

SHA1
c5068fd65df8f8ca2409d2eb2aa0830451546f5f

SHA256
d113be154c9abf7a4529413fd810879dc59c012e78f1af87882c525a05d9d3d2

SHA512
4110ffc77a85051341784c00a4ffcaa61490befc4ded452bd89c10136f815fbaf8f69e737ee24295175e30efef88cccc8b1b842a0bec512b4129eced1734d279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
49422b395b52f049823287defbee7155

SHA1
6c2cfb8a509d7f2c0ca4ad1b25b7a37979de95b6

SHA256
c2d89580512f3f9a3cff245272d334629f5d492bdfc57fcf3df265a50739e13f

SHA512
3d9c9669629b025fc7a5774fb518f03ce23c859ca7658550ecd4c9333e11a4621bc070bd208875a911b96049d86f456f8b0cb7b23a7f9e1dd9bd7fd606e8e472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe584532.TMP
Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
51967e7321ae5cd8cc6e90ee77f2ecc6

SHA1
883427cfc6f706b04da82b965e93770331f63ab4

SHA256
db0a57b9bbdcc7480e94bff91ccc3df76e56e4c6b97efd7314593976c59c8656

SHA512
708f978115f901bf8da8b27176f1c1240a68d806d40f5e1c79c9975fbd0a1684f5de439645919e3beab0b6bb78c1d6b4ff5aa1ae89157fa85ba95aab5401b66a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
9a976817f331df7c76bd1d4972bb6866

SHA1
74b52c9ddcdef373ae5dca04db7caf046dfc0c49

SHA256
15201dd85e6ca6bc8d8263fa4e7d37bdf45c63e29ba782bcbf9619aaa99c1da6

SHA512
c8b54a6af385d682f45290e5fba32db59853aa50c4fa5f6b7aa125d8435ed3e026dd51e158f56d4f9edd6bfd9af4b62a27814390ef163a48450675a58b1b77e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
5cc9bcce51f913e484b2cfe6570a76b1

SHA1
f5143a5149265220caf5c2c46b6dfe847171ae71

SHA256
e76fd146adb3a71748e883a7c032b90ea1397855a048d0703c0313c5b62184e3

SHA512
2fab9afe47da2c3dd016afc44b476cbcb0e7563e0bf893cd27afa1485813e719554974a779fafb31da80d41540d9b14082689331f3d42a2522537e0187333fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
4KB

MD5
00b5201cf3472e609b7e0eb285b11813

SHA1
fe9dd500490dde41a877e9c971c6f0dd8674b68d

SHA256
9dd119a3ac97d33df6c5c59ebb3c17157165d07805b194af2df49962d09ec21b

SHA512
781a443a60e66627c4a79808967551b64e35d0aa5f5395a6be6a6a9163a76527f4f7b6eeb05f77bcc58d2375f1ef055f12664c624c37c26f8829f4c62616cd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
ed340358f38ecf29ac5bfc5a90936b39

SHA1
d94c573bb0825c15fd958520f46b8cdefc0665be

SHA256
04cd3d965fd578c150edaf3e1d47ed3cf318519d595a2ba06b8dc9c155ff4742

SHA512
ab212460876b0b5dd2a701518c1eb4bb638b858201454244395a6263f8a8580b925324c20567d8664ad7d09d374dcbba7d76381726f78bbb3c8d988dce0681d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2252_1546338173\396b3ea6-8683-43b7-b7cf-7e87e7d62754.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2252_1546338173\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\88ee9a8eb3e2edcd.bin
Filesize
12KB

MD5
8601524eb42dfff16b81267051f17fb0

SHA1
e8b36a6b640a93bfcbfe05eaf9f9d0681216cd89

SHA256
36bf40b765d06a59f33889b7e4919a7aae7372a5ee8bf680a2a65a098177d4d0

SHA512
b15a23ac205f6d5bd6a676f685c8a8565a7990c989d82c8261bfa13022b41c860442ca069756a9da2895576c3e04fed85dad7946981ec9ab7db9ab97231f9768

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
9b8786281d2f0176a68bf285ed065139

SHA1
8deb1d84e70d6417c08d52fb9e2ad6c6d54ec14c

SHA256
ba377ce5b1784783d7f57e227a32703f2607d2be5d4df1a1c655bf494b2c7040

SHA512
b8f34af510fdef154283a55529ae7d214d28398e6868b2978b3bcb562afb2fc2ffd6f9c327346accef3a7d0b115a7c0b0c3af264b3a24f8295631ffdf61831a7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2af79c0e2bc8c579540e7ecf112b4a46

SHA1
31fec088310a60b5738e31de794350fe45382f8f

SHA256
9d9340c97ba987c9d937d646db235dbab7f13d51fe7afd16b88bcf6bad4c5a15

SHA512
fab1680bbcd4b099378c784a5746451798e7ed3aebc18dd822adcabb5cbb21406700e487a8fe938ae0d0715cf8c3ed90e0071614a33c47ac929cc1f1eaa703be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
fe7596e1a847522bb93649212d0926c2

SHA1
d833c43a7b03f0fd034f3ece3b94ebda7cbd5bd3

SHA256
110cfd58e30b3d2a3c8b5657ef9ec50ec0178912171324c5f422ee3167637aa9

SHA512
379cb349cc264f91c1b905d085f643c494e5cc2b77ae3fbac7c60cfdc9acc2ff1819a5f1abaa17e6493b77f38832ca925ade86685a85b4bda1ce2fe40c3fe357

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1e01acf9824212b5c10d827a2b6eaf1a

SHA1
1417d0806fb2a8a4f54644d72b28c407a10a508b

SHA256
dc37dcb1745114f25d259df05c7da7a01ffa17c54bdeed324c2312a8b112143c

SHA512
e8b96f85e4b2ee67ff7536b6e6463a543beca630e406a09a273c01515e6d28dc949ded96d7dcd9b62f57ac01069a0d529e0e83d389c7f514456bc8399248a942

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
45b00f5fda9d1943ea7c530ccff1c305

SHA1
ade40837e1bf3a25c6e487931f43ff961e490e42

SHA256
d6993ed97d1e40476d5211c096692f5bb36aadbfb206afc96c922d53b8fb0046

SHA512
fa55dc7abf3243e51fb47bba2b55a9089dc9b2b28335af43a17494d000e953da7426160465b500da36abfd28e6d5cba54074052c99821a37343ab7e9a93d6c43

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c4c0b86a44b01653bb18cf8da01c6394

SHA1
6de80e65b96abdb02415f309b4db5d9fc9242ccd

SHA256
f58a70cbfde82035aedc510dfd1bb8acfd31a95418855b758ae73162da831398

SHA512
b77806686f4d0412cb69e5f14e4c0c5c1375597981267f16d1505c69190c0e17ab9d5d1e734a3d1d3889188b6ec45200d5e529b59da79e373af4b20c902538a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
68edf1eb5b21146fff265dc5f98512d7

SHA1
4149d85d7212646e1898535149acb7755de51dca

SHA256
bb509da97b1754991058fcbc6e934c800935bb73a2f205f8de312c4326e46a22

SHA512
9c1917201034cc0fc2696bb2f677947a4e23bb6c9cbd9a965e16eae7e976c41f81d673c88135477a6fddb07832822c00e6128bd393881cfcf795cda019b3edf8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6f9e9b68d8c2e34cb009bc29b35af66e

SHA1
912f06b3daa324334dde37baa165e825477fc8a8

SHA256
bce070eed33797589abc597aebbafdee7f96cb961aef19e160c1cab079d1da65

SHA512
1a098309c8614a725e080705d765140c2fa7b45b214d9bb5ada133072ce8bc9d03f57990ef3153e04a5aea0c174df93fccf95c84273cb0fcc2e5af0f44933fcc

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f95825b1d382ec4bfb4709c49f3314b7

SHA1
d656e95830a64dde6e29fda3d5555f45bf08079a

SHA256
8be39799392654da1241622a8b93d33b13f210f729f069fd2be15d7849852b22

SHA512
4481a348aa445d9a32a527e02b272573b68d0b40938811c06625a9608f1ed87cfd8f600bfdc0e1cd7677e1152a93dd9bf274eb5d87a5c6365dd5584d95a90368

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4f9330226e17c268778b1e88675e3c21

SHA1
e752ee5fd8690ef91a146c5d1f7786714fbaa1c6

SHA256
5aa127509bfce8b561ef14e8f408acb10fa14c44fff8fc97fde4d495d8d29906

SHA512
74aa13aceda8ddc443978ad8fd809510dfa4f9e6463fc0ce6a9c43ced4eaff97a34d006e72bc994b980de8f00e109ed6eb74c8a191818b21545a63684145211b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
f9836ba309d57d442325c1afc061d512

SHA1
d5c6411004c984466fbd2231cad85d386af2a140

SHA256
f80ee1bde652fff7b79166912952f16b79e25587c791f7849e2b10831434ed4e

SHA512
0c295ae79784a51bc8d9dd1283af973515fe7be20f33f4bd7205a073a001ed0940673607feb0daa61fb61f5129d5584929a737b3bc573fffb84f99b158620f32

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8e31f0bb0adc99fc2fd366d14792e8b0

SHA1
a96aae165f837401a9c947d3e2ae1a343fed4afe

SHA256
999f419c3b266dcc221e7f77415ce052da6b064eaf00016ae10cffe08f32a83e

SHA512
44a89e3a09b1acf8f5590cd1747a04579453aa299c2606b9bce014d56e44502f04aa502181377d4f8461dde4f100fbeabcb549a51e3be951ba77ca1cc310f15a

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9134eced357626f742e6807f67090833

SHA1
5dcae27cc4cff54f7291d946a136c7eacfefb051

SHA256
5fd05fd483456c5623f48a01c0edaea8cf48cce07434f67c2929a8c8f30732aa

SHA512
e29fb7f19f789af11cda0c2dcdb34fe2148e7832908daf0a4ee2c59c8a10473aa7e26aa0eccc13ce50d7b342b43fe1aaf32adaedc03f95b2f168203bf409938e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
75417677c420ce8d7d7c68f22283dbda

SHA1
58c9c7163ffa7c0439e45f008690fe774130ae89

SHA256
06f3b9e72474bb5d150838a3fa4981593fe283ca2b73319a8cbf8772842277e1

SHA512
cfb42e310928772cba8909c4eb573d84081ae6daf7ed741c033b7094f18dc98ffca7b1f1d26e3d814b5cf75fcb69ccf307c2e7883b4aed008594ca7d499e9adb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
28fb0c34749475833c8186f9d60d557c

SHA1
f0476ccaa7ae9dc68d6e50f3001e494c0690c606

SHA256
80afabc3ca794d0eb43e578db7bf868a6cf079b681446e5ba32cbc559d355aa8

SHA512
218b4b46916bb53ac4e621db6fccc354b2cf9ea3e00da78d83a92773221958e14e0b9002129500f87a5038180e8ec86ed9c6e9678d08f9d72fcac11b0ec2cd07

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e4bce9f82f9cef87edb642fda2fe585a

SHA1
7ced568b5b1a03c798bed49c1e094d4f3471cd38

SHA256
b8a180c54747528da670f1090261be1aa64771ccf1c56bc2e8f112004b0ef2c4

SHA512
603cd20842791d84115fd065e52ad3fd2384fb87dff254db4600a1a1f8d2926a3c7d21c4f803af9ae2dbe4fbe77ae172514e3b6e4521153d6acf7b593e89f7e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
54dc7d14a2c7168c8f42124464497d22

SHA1
5880fae05a96b0ac6185d5b01a86e2c647a88b51

SHA256
ea696ed82f1545eede6529f9f776106d8ae69d9ff548e2ebb9bd1668debfdd06

SHA512
a961f7f2d380f94a6486bb9b8e7951de58bb8461fd9f4d9d42f6b426eb8270353bace5eb12248dbca98d7c61e7c6645a4bbec592a9f312ab1852ca8858644a4b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1b4076e391f517362b46f58f14a23c9f

SHA1
c6009d76ddfadd621f17ca460f940bdecba1809e

SHA256
16f81997af468dfb7818abe2a26d099c5e71d4b9acf9c00f724517680bf3fa6f

SHA512
049ad2a539514cdb5a185325b70f6d7f691adc43b6e705e26620d3f6131cdde61dc734ac23a1ad00285bed22871b33ed421ec06b69cfe06da8cd7faa6f64a70c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d4904b7ba70f38bd44c5a12d1736515c

SHA1
30e81ea3613685c76d3b9c4af62d9db61d78f55c

SHA256
3ea8feed5fd1f1de099e5bdc10cbdf87e112445ec0048daf9a5f2d0dba53be6c

SHA512
8f1f448f8fc1139c808564f6dc4da67e63091c7933c0e2bbe950d1e76693a0205b346d504055238f03b2d1d9d1fa5c8e909d1366c01be2d50acec81a10d889bf

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
076e948a3568a13be30619102ad72bc5

SHA1
6411d0b40257ea7e0f650063c947e3297ef62ed6

SHA256
0bbc2701960a7d0c7d6d81fc83e133b190d69850c80f4a4b49c994ba22b0e72b

SHA512
56c4847bbb3e41cecdbf12b46c3e76f196e1ea0f0866f4c41a3c9e9c2bdf5d5aa5d94a272a9f9b6a431becd0811381f03b816aa0828a028e583ff0b001a81af7

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
043b27363e9662ae4d2bdfbfc011a338

SHA1
6a6dffaf7e9bedf6915d1172af70bb9927163c88

SHA256
2ab03c0bd7febfffbcbffb35c3c38f32c5c85cd0d32c2889daf30ae81e3c8087

SHA512
2aa51e828d4667d4bdc2997cba334db5883c19d0ad09f4cc4cd78fcb1f9ae69976400f0eb345803ec3fc44be944f2c4146d33b3cce7fb3338fae4645b83b7ddf

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
187644314d9365e2838079d25fef655a

SHA1
46ff3c122d9b13363807e7493cdcac2e20020a90

SHA256
be7f6c12382e06628b61ad42b8168bacb4825a492f99a88745119cc8592c80b9

SHA512
0a47c52c38cd9941d4302386c80b04224cbe3cd8e92cadf97c52b7614b20268884aa57306cf7d272a9bd215745e2bb9dc372b8f8df4dceae92bd7130d9169a60

Download Submit
\??\pipe\crashpad_2252_QINBLOHZIRMZQBLP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-484-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/404-994-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/928-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/928-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/928-65-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/928-59-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/928-67-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/1144-92-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1144-98-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1144-86-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1144-94-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1144-96-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1736-53-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1736-180-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1736-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1736-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1980-166-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1980-427-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3232-357-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3232-538-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3248-17-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3248-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3248-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3248-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3532-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3532-412-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3644-400-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3644-137-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3852-41-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3852-33-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3852-151-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3852-32-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4176-103-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4176-102-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4176-109-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4176-368-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4820-1-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4820-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4820-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4820-21-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4820-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4936-114-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4936-129-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4936-115-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5140-546-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5140-369-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5152-428-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5152-654-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5248-181-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5248-439-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5280-329-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5280-462-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5288-440-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5288-803-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5364-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5364-487-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5364-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5424-840-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5424-459-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5852-861-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5852-463-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5868-588-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5868-389-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5952-401-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5952-633-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6092-425-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6092-413-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download