4b5ea3b93157fd7c04de9792246b45a99d9f6329c20228d07f9d985b55d9bee3

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
Size

5.5MB
MD5

63a71a22bb4218ca537ff53ce19979f3
SHA1

24c6223cc8ff88ce38f38c74052ae16a990e71bd
SHA256

4b5ea3b93157fd7c04de9792246b45a99d9f6329c20228d07f9d985b55d9bee3
SHA512

7c8685e3786d55c17a98936ca01b2509a21dca261867b3090539787383a5081874c8f322c0fb3f75938df54e98c26c24e8de823ba8d5274e8ee761c5d1d60a1a
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfq:XAI5pAdVJn9tbnR1VgBVmtTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1076	alg.exe
5056	DiagnosticsHub.StandardCollector.Service.exe
5040	fxssvc.exe
4296	elevation_service.exe
2080	elevation_service.exe
3552	maintenanceservice.exe
512	msdtc.exe
3972	OSE.EXE
4948	PerceptionSimulationService.exe
5152	perfhost.exe
5416	locator.exe
5508	SensorDataService.exe
5664	snmptrap.exe
5760	spectrum.exe
5164	ssh-agent.exe
6008	TieringEngineService.exe
5368	AgentService.exe
5448	vds.exe
5596	vssvc.exe
5200	wbengine.exe
5228	WmiApSrv.exe
5484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df24b967b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\UpdateResolve.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002605d9770caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e54e3e7c0caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc14247c0caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb8b2b810caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f70a577b0caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b6aa8800caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018cf8b800caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d54763800caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exechrome.exe

pid	process
676	chrome.exe
676	chrome.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
4744	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
6492	chrome.exe
6492	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

676 chrome.exe
676 chrome.exe
676 chrome.exe
676 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5092	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
Token: SeAuditPrivilege	5040	fxssvc.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeRestorePrivilege	6008	TieringEngineService.exe
Token: SeManageVolumePrivilege	6008	TieringEngineService.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5368	AgentService.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeBackupPrivilege	5596	vssvc.exe
Token: SeRestorePrivilege	5596	vssvc.exe
Token: SeAuditPrivilege	5596	vssvc.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeBackupPrivilege	5200	wbengine.exe
Token: SeRestorePrivilege	5200	wbengine.exe
Token: SeSecurityPrivilege	5200	wbengine.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: 33	5484	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

676 chrome.exe
676 chrome.exe
676 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exechrome.exe

description	pid	process	target process
PID 5092 wrote to memory of 4744	5092	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
PID 5092 wrote to memory of 4744	5092	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
PID 5092 wrote to memory of 676	5092	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe	chrome.exe
PID 5092 wrote to memory of 676	5092	2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe	chrome.exe
PID 676 wrote to memory of 4584	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4584	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4456	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4024	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4024	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe
PID 676 wrote to memory of 4276	676	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_63a71a22bb4218ca537ff53ce19979f3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaee4a9758,0x7ffaee4a9768,0x7ffaee4a9778
3⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:2
3⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:1
3⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:1
3⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4676 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:1
3⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:5336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff75b8a7688,0x7ff75b8a7698,0x7ff75b8a76a8
4⤵
PID:5836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:5880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff75b8a7688,0x7ff75b8a7698,0x7ff75b8a76a8
5⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5588 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5740 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:8
3⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2696 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:1
3⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2856 --field-trial-handle=1900,i,5515723385495361845,3685692687670005246,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5416

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5760

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5788

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5508

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
b20ba55afb8c9488016dfe3d7a19b4d3

SHA1
2938ca806998555658fc9cb395015867bff0de02

SHA256
01cb4deea199acb7582b5037dc54e132d461cb329a35e7bc5bad509a96638ecc

SHA512
396c25d358d515ea03d85426b4d1f75042eb289e6ce92360d7dec4e6f61d52f8e08e9ea9823643f6a4920f8120000dd6e6c97fca2e9a65f569520c7c3ae554bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
4d91af24f1ca6c3235b43a73d274ac40

SHA1
09b0e26fe3c10ecbd3356d2649c9affa7622234b

SHA256
a2cd784345acaedfce838aec5df740af8103817090050f2bc080264575aae84d

SHA512
2b9cbdc7bfd3e78026b6eb3725fdddea06bdc920bdcf34a61ad3c2fdf9d084a0936986d04c672fe8a4f0d474d7c93e13567940f804c3e52991a4e13476ffe823

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
d3b2c9113161f91369a0dda2950eae54

SHA1
bb7f3ff3e79cc8a699bc20d930f440edb4f0d1bf

SHA256
15270e4f21ffb817d4720a883b233eb0464941da0c50f31ce01d0fba1f410b36

SHA512
d530cb347ccc756ce6ce33b5a053baec0955f7950c93d20df13da594946ab9382ddbfc80c0ef1e6406cd8bb9f457d4f5ffc8aebd694427c9b5e27750e31f89b9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
0338a526dc925c122ee7232d6a82a75a

SHA1
d97bc6d683e32443eeb9ff752e9f15b8a5d86060

SHA256
95af9b590505538da1bce14ff05a5f2b7f5c45e342f0413d5d9cf48e329a8875

SHA512
158623e26a2f85cb744646db6ff333d40aa4075dff76f3894c63d5d5e8a9235b340c2611ea265faa5ce0ac209c31339df68b8fefa724c5bae411de2f30c20fe2

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c4ff0907-b780-4784-bfb0-9189533f02a3.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5266ffab-f16e-446b-b47f-64e8cb1bd131.tmp
Filesize
5KB

MD5
bc99e704c263c83a01551f7a953b4bf1

SHA1
d49fc622d233b39af13fe399deef783ec35525dc

SHA256
0285ca1c6ac82be4a072f6ea96204d25905642980fa8f98ccafb2323f44d3a33

SHA512
5e6e173c9893489d7285c0aec259782bb104d412bd77476ecb08e7a081dab545275064fbad28a5c5357bd4f9a44d6b4f45893befbf84f5813f5b33400af66c2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
05efed7e3375e885e03fb076293aab31

SHA1
726ef6aca69cf6b9592788296bb4cc0a3404899f

SHA256
d149c9f324e141dd54626f61a58136aa53a8e8abc559ba93da0331134df10afb

SHA512
23ead0edc49981bbbfa9857ebf77c3e873ea1eb7287232bedea991b9607069e81620e61bc8e26484c7166d93b317ec2acfa232fefd37e316506fd48760c1edf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
afc773c04bb4b5af748d5bd730ff10f9

SHA1
2685ddf3c8ddadeddd81834efda2c70bb239a19f

SHA256
d6950e4d7c56163567216ea77eef1daf0a41e5e07bac809dab050d49b06c065a

SHA512
e82d2458e511ec6b66698e61d64a82a2ffced1eb9e57a6bb7a28c737a062ce891c917c75730aa5d3ac449b3beaa860bbad457a7dc2ba8ac650e391209f595277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
8a18e5449ab04175e53d7e6e1128ed2f

SHA1
d8a073629e602acf06835b67f00c1f2330934a6a

SHA256
37758eb74b512717e388d30c5ad2c06f62f899c002692e0a6647e49151702fac

SHA512
120825f37731f8d4bb32a67f45157c7b188ab0f4757d0a95fc54cdd65c2a3f15c98b2b67adaaf983ecca19f876a49fd0a1014021953045229f953236aa3d4749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
dccfbba534cbf6192ae2052fa27160c3

SHA1
58fd28edd57a411264fda6ac38c4d540d68d1e7a

SHA256
889a36ff99d19f8b9ce453e75597ad71098354334a3d6ce29bc3e7d0414445a5

SHA512
b3151c9c30fdd2fba713c4181cd23f968e9a283631e31c16f88bda47aed4e33736623c6929ba7edadeb39fb5bc55526fc8bba10aca38566b559b1acb398cd214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
86be9565c640a9c2e809ecdc5d8eae9a

SHA1
489d58226bc91c44ba509d7ed24860475978d3fb

SHA256
7820e5615291c298b99933e9ab200f46e97711361a9d043f5fcf5517ae08ef8b

SHA512
e7a74a124e6a64e7bf159c5c1f7a19c5de627118d34939442a4b6eecf07d6c8e628a4c2b88eeaf6c9e7284758e2d1afe88ba08891b9f028434763df6dd99ce97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
fd9de2af11993da759fa850a9274513b

SHA1
72bf7b5324251c02ac733a08bbea95b73d2c1c97

SHA256
2135a3b9172ce454a7391097d2a2d98137f6e9b2989e7054adc8a0b37453aa5f

SHA512
f0a1d184d6051b6491575bc6d0d20dab46bb60d8125a4be28ca78314d3af942ad9d064c0fbe2ce2a27661041c8a8d52fa44c5d76d3a9d3af9a6a718b4546f28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
f0c5531787d77195d92c49136f2aa1be

SHA1
4ddc19f65f2bcc3b973582e60fbba0d1a01dc50a

SHA256
2eeb6076675fd9cf6ad6c6d9c32c9970861fa71fa250971309ee591328d66506

SHA512
5898dd4c45199aea43504380a66723978b80f2cbc5d443adfbdcd1e6bed040bb516d46cb9439be032ca302aa21200ac9d290e6cf26ea2366a81898b1643a02de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5844a5.TMP
Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
3fd97b3a0367c679ed08aa64b1ff4596

SHA1
d337a8f2ae34b80f5d21c741382cb3a681495436

SHA256
ae89b48bcaab6b3a03b2086e953f8702a04290e8273fd1d463dfc8425991dcaa

SHA512
157ef9ea762e9748517e6d64d4502316d98c26668bc3619e436ec55110c23fb51556dea5d17e4febe9a26c97da192c1fe32469051182a49c70e494b334a0b37a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
0ea340f305f6ebca8ecba18e1f229fbf

SHA1
0f29ca2b24d73787ef80be4bd2e129ff2141e0eb

SHA256
6fb1ed02d057c195badff45c45d17399f2d2f62c4222fa2a1a388a61f023cb01

SHA512
1da60e8a4ced8ab33f8d66ee878bc523f55690508e2443beb51c49cd1c284a80ee855de35b265bf902287e924f2a6880651eb95d14a55353872874de44523ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
6922f7d718082d3913508f95923d316d

SHA1
2fb3480ce3af5467f7e0d810088e57edb610f839

SHA256
2609a817770364a6e005d80399e857778a9acec07144bd464a07a4be51f63b3d

SHA512
3c65584d657ecc9db64bfcddfdaeb4c4d874233e73b730cedc5292c8d5248166fcc4af9f609d769d63aef80e591f6619402d161a4a6e3e2bd5ce7ffcf5c1c676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
4KB

MD5
1f7d4d0b8b6d04f86ba42c4afc1a8f68

SHA1
45c582b62dcacf86b3e1da632d755c3ea03f21ed

SHA256
c4b82007a275e723d70320aec04548333312868754fda7fab539c11dc0070c35

SHA512
86ed8b7c23449672de9081b00c521ed9295b00e610da92636349c1f45622b8043a08a80b9ed237f80981c3ee1086098394e7c564a371cec748739d1b28f97adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
624e9a957df809e081283300f42cd2ba

SHA1
f4be33ed6042dfb66ea84f15765cc5d4d2002f01

SHA256
de675c8ac90df786f73379ed14d40c91adf7260197e7b261ed85c5a0726e1dff

SHA512
d1eddc34348a0dd26575251257c5c58008e7160362073dabac05006303645e84c92dcf3cd6ee9eccf4a189672eee4ea93e2f74e1c3176615f765d09b056ae456

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir676_441038763\662eeb00-c68b-4b83-9ec8-b959271fa66a.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir676_441038763\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\df24b967b3e2edcd.bin
Filesize
12KB

MD5
18e58aae2bb16ec76a062745fffa760f

SHA1
8df7ff5d1f0e22aa800b94ba12398ee5e41d630f

SHA256
a2d2ec0942c70520f2888affba9c249a7a5af7074bea93ad15245e8c7422e4e3

SHA512
44e92aac9edcc4539f222159567c710f0e64135a1cfaaa76207775a6d85d52f1077caf9e55724c6183e5ab2042f3137efb97a9577b30e7c8f88c99f0a847a55e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
58ef76e5e4e650fe1a595d726b9e1fca

SHA1
3375a126683d035ecc580ca01e03c86091b6bba9

SHA256
bb6a7614f8b0f6f85f9d1c3b3e0831d85f642f7d46ecd3f0d0757169dc2b9e99

SHA512
49bbfe591380c7452219323ebffbb24adf8c36f646cda7bcfc20e0e0066509e61baeb0726a9b226cbc355392b68b1941eea6dae72a5ecb2f3bc744ebdf79c291

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
656f5e5aedd4455330f700455092cdf1

SHA1
90daaf1326105e9bdc55f0f38af9a00d2da8c91e

SHA256
4682c1cfd75f86e087a6bf86f42a415e9a64bd191fad3e4fffcfeacc546c329d

SHA512
7b845a5b7c6c51cff8dfee5274833f5de42d5fe4bea7ec772441b899b4fdb1686820fb346e9ead794f51bf4aabb32840b8ab7e1bc8b9d04fdb28dfdba9e9be76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
37222b03ec550be7fabab194386e7a76

SHA1
8f23d5fcc61adc5cfbcea198d808080180693448

SHA256
7b13e2a4d99e8948f88fa9b363a1e44bd0ea84c7a287a499879bb26987b46273

SHA512
ffd54a4fc780567d42f8285cf56f24d2f65350f1411801c72b48fec1d626874991d49b05baaec5ef66eec9bcb228659342be084e44dbe1321794900ffebca372

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e7b24501ad6cbfd914ae3acdd0dc4ccf

SHA1
cb9883e85c45dc62263e0e75e9a4636d6c7ea33c

SHA256
5e1b911441617cdb6d532d133ce158094aa5024af25fb593fcaba9a6c3815758

SHA512
d433defa2684c600dbadfa5d7edb06db12578f4617bc26075b06779d0fc376901a56f8bffe4bd453b4a004b2c2f663b9c0fe43622a6ac4d19c66f41b478fc1f6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
77275a10276e2ad09750c606c68e93f4

SHA1
936b22b40871ef834178c8b065a8d1a732ae2b5a

SHA256
80b8fa44674478ee86c7582876c69f37698adad5d08fc69a120a49da261f63b9

SHA512
003c8fb0b4d2bdf44c1bbbcaa6927c2f20ea9bbdf4d82ba6bc7aa96b2c3485336598485116e74afd4e061b10f8df232492da3f43dc1f964c71e85134604d94b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
4a5e9b3a354ec9f0046cb0f801bf518f

SHA1
e6d4f9e93f779c034c0362527260ee34adace63c

SHA256
034883edc80def6d1a457e93c112339c2177889f5322fb9a139c385e67787491

SHA512
5ba77199a0184e5c2b52c879a73f9974ec8705fd8d191cb2372acd567ec3a2ba15b108481f067643f81614f1c636ee78983f735d1b0f1472e309c0543ca65dbd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
4674acd369d61100947dbc4890c1764b

SHA1
827e26e0a884cfe2039aea97da0a6a082f08a30c

SHA256
292e532d40bc4be913ec1c8ab0d9df3deab03a225fdbea788dde5decf95949a5

SHA512
d760895fa89d0d65c6a7f4a8dc16ea600d0b8dd59aa017e6c91b5a721c1d41dfdbf4cfad88653ef83b70f7a5682687fcd03d11dd7933c8254a5bbd70d134ed55

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
42192e93dd843178887f221981e4d719

SHA1
4441343bd58e4b374f9a5c6475c5b2222a1e8948

SHA256
2e73fb62b813af59542eb799eee1b0d356b98624269aac9d5f307cbb2fa9dfec

SHA512
2504e8155f46dca5ff0111eca83f917d84cd9ec67bee3a4292acf86143aaed82079fa77beb288a36f6d1089a042d86115a76f1c81b0788ccc10ef914754c4294

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3156447ebc97305774e35b8375184124

SHA1
bb9c4c2a06f83ed8dc1bfca6e974c04cd39db001

SHA256
f3e068f25c3b0dac7523cd17be37f1c9219215d8af35f51058c235f9749d3239

SHA512
9a7033eda07cdb4d9577470602db88f8761e9fa4fcb4e328ed747cb475974626f43379d036bf18971b01f1f562dd31499d25621cc08f27cc0bbfe1f23062b709

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f0cb8dd2535270099c684b5980b7677f

SHA1
28c587d88ee60a38015d4937e4a874e9157dea3c

SHA256
e0629b85738002fd637b9ac7f27d669065f26f8035810ca4467a7ef15c1e91ee

SHA512
9164a91710cf070699c270d67adc379518a5d8972e6c8691845b67b2007264076598bd8a3c1221bd540a626e1d66def8d4c83c283b365557f8b7b2a34aa28c7c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
031d911f69a5eee9f114f0a00947970c

SHA1
0f7a3cdfa2b6855e66361e2176769300c9fe40b3

SHA256
8921c71514a3f4058c583865bcf5ebb0895cb61b64c5b1aae21bc1938d0613b3

SHA512
f6c33ff7a8f2c629de3a81a76e0ed2dfb8e4d6358bab9a4a0a6fca3358bb3431a280da15bef321240612381c70938363aa6f597681919e04d9285674099ae578

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
65ec64da547bbec7ee14d88270e34fcd

SHA1
6f1065646e36b1e7452eadcc42304bf0e1cfa634

SHA256
1183b63116a13bcbdd65a505138f869514b9a1b3dab0383a5ad5bd4064fe6e16

SHA512
298b21f746d0508c88890ac434bc4491f7fb4a30830dfd064d0841c6ffda9b194eb3600f2ed76178dc1b02164069f5cfbd3b094f97a419dde9a272d8a245b757

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
a9a2cd63e673f0fa37ac3b5ae9468976

SHA1
ae7b5919a3eb6bd8e0c8486690da8969348b9ebf

SHA256
eb99b65e7c1796dc0c450ee40b2058cb8db905ad3e62148055f290a90959c7a2

SHA512
1e5fb96b8cc170b7cf3f323dd6367bf1098ccc5f67890abb8a9a65eadac4814f90f2cc6223fd0161a2d160d13694473bf8cbb1f962a9100ca64160fda5f33795

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3622843723b02e8f4e7f45b2193b937c

SHA1
93db507f26602ec5b654c2d1806b4160ce85f336

SHA256
0f0938562778708c5927047d1ff7899906277936d8ea0c667a55635818e3c73b

SHA512
0ed75a551feef334c92c82b33cc4ee373833bca35bf9f5a40877f143f2f91c4c4ceae7d50ce9c6e1cf22d962be4e23bdaf28c05357588c5a384dec4bb5365e3c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
424b72c550c8ecf00eca82684fa0b388

SHA1
bd3dcbb9c5b4d83f2aab3836e49eb7312aa977c7

SHA256
071ee20f83c19a41455c7675761e0034ebd09e64eba680f9bd39e470a7111600

SHA512
ebeed1d347c4a912d655ccaafc7c8ec8360ea7fddb40a97f94396dd205da208a08c9e77e0b39c98fa416f713800152c8361fff4b837ffab7fa4588bc9fd74ffe

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
df24cdeb96d1c43c14062a4b801ec9d1

SHA1
0233c55400f3e425e7c662345f3257212c1b544a

SHA256
5526db1f938f76bdff12ecf6cd9b375e0d66c801221cc0933b9bc97879323ceb

SHA512
cba7efc2adff6273e69f147d8738af492862dcbc2cd4b8dcc30a57b5e85b3a90610e17ae3230ce5e8de45ab50e070081df0f64304f7467eab9e0f43eeaaa5d45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
3710152340bb243cdc2df4b13023b647

SHA1
6c7d6f255fb2982e1c0abd6820a71ef43d1ed941

SHA256
31e424ffb0aa123c0c84a9df0f4e45b03cc539f9abde21efbcfd33f2828facdd

SHA512
c41634f2c0fd51049178bb22712cb5dfafab865684e8cedc91d237e00d17dd2f03125300a6284617e9fd60d22aa48c3f2327570ebb64af0d3e1721a8175bc956

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6fc018cad2246057837232ddfafad8d4

SHA1
8ca1b47912f377ff8104f34defff9a116c4c26f4

SHA256
ff4e50fb07241986b44c16ac2a481b9f953afd31cd807010d272d536282c65f1

SHA512
4bb460cd6da4bf837319641d3969c5b0fc7bca156653900ff0bc867fdba5a127ecd084381e59698f097b36105a4ae997241836e75a3de9485ca2be365e7a4fa8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
\??\pipe\crashpad_676_POXNPQHSLWTFKKZJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/512-129-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/512-396-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1076-175-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1076-33-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1076-41-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1076-32-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2080-86-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2080-93-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2080-87-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2080-281-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3552-125-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3552-121-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3552-113-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3972-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3972-414-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4296-78-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4296-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4296-103-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4296-72-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4296-80-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4744-128-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4744-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4744-10-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4744-16-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4948-431-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4948-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5040-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5040-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5040-59-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/5040-65-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/5040-67-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/5056-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5056-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5056-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5092-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5092-21-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5092-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5092-6-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5092-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5152-443-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5152-176-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5164-282-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5164-556-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5200-452-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5200-634-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5228-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5228-456-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5368-412-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5368-399-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5416-455-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5416-202-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5448-593-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5448-415-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5484-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5484-471-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5508-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5508-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5596-432-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5596-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5664-533-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5664-239-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5760-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5760-541-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6008-576-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6008-378-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download