156829f040d23d4758475887344168577a5aafb638c0ff57ccb23c760c847097

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
Size

5.5MB
MD5

2112c6d58b2859991f8eb498f1dea1ce
SHA1

bcecf781eec650cd7cdf195e8470ffef337d6b47
SHA256

156829f040d23d4758475887344168577a5aafb638c0ff57ccb23c760c847097
SHA512

520d816706046fb1d2ae9e9aa710df09b0aa0ef83f1298fe2da536ad97af8d6d1675e8fe6ad326cee24eef4b25af50090d9b92254672eda22095be1cfb37329f
SSDEEP

98304:yAI5pAdVen9tbnR1VgBVmRGEI1DVWh7Px:yAsCc7XYlB6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4196	alg.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
3176	fxssvc.exe
4976	elevation_service.exe
400	elevation_service.exe
3012	maintenanceservice.exe
1432	msdtc.exe
908	OSE.EXE
1860	PerceptionSimulationService.exe
3572	perfhost.exe
5140	locator.exe
2952	SensorDataService.exe
5348	snmptrap.exe
5520	spectrum.exe
5728	ssh-agent.exe
5824	TieringEngineService.exe
5996	AgentService.exe
6040	vds.exe
6108	vssvc.exe
5124	wbengine.exe
1528	WmiApSrv.exe
5932	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\38e7a7b2b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049bab22399b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004486682699b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097a5292799b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613310170706533"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b322d12999b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003da01b2499b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c73282699b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000774bf42799b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efb2d42599b0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
1724	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
6780	chrome.exe
6780	chrome.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe
4272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2548	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
Token: SeAuditPrivilege	3176	fxssvc.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeRestorePrivilege	5824	TieringEngineService.exe
Token: SeManageVolumePrivilege	5824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5996	AgentService.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeBackupPrivilege	6108	vssvc.exe
Token: SeRestorePrivilege	6108	vssvc.exe
Token: SeAuditPrivilege	6108	vssvc.exe
Token: SeBackupPrivilege	5124	wbengine.exe
Token: SeRestorePrivilege	5124	wbengine.exe
Token: SeSecurityPrivilege	5124	wbengine.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: 33	5932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5932	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1724	2548	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe	90
PID 2548 wrote to memory of 1724	2548	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe	90
PID 2548 wrote to memory of 5116	2548	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe	91
PID 2548 wrote to memory of 5116	2548	2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe	91
PID 5116 wrote to memory of 4868	5116	chrome.exe	92
PID 5116 wrote to memory of 4868	5116	chrome.exe	92
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 2172	5116	chrome.exe	100
PID 5116 wrote to memory of 4080	5116	chrome.exe	101
PID 5116 wrote to memory of 4080	5116	chrome.exe	101
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103
PID 5116 wrote to memory of 1104	5116	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-28_2112c6d58b2859991f8eb498f1dea1ce_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd77c9758,0x7fffd77c9768,0x7fffd77c9778
    3⤵
    PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:2
    3⤵
    PID:2172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:4080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:1104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:1
    3⤵
    PID:4208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:2608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4716 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5308 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5584
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x90,0x244,0x7ff694467688,0x7ff694467698,0x7ff6944676a8
      4⤵
      PID:5620
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5664
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff694467688,0x7ff694467698,0x7ff6944676a8
        5⤵
        
        PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:8
    3⤵
    PID:5156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5604 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:1
    3⤵
    PID:4464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2964 --field-trial-handle=1892,i,9836175981125422177,9217899326364066728,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5520

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:7008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:7032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:6844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
97f4b0bb8bb7cf18269611c59aac6dcc

SHA1
4b9c407ddce7948bde7ba09f08b113ae311320fa

SHA256
b94b8e2ab42c758c6bc6eb1320158c08b82e488bf018f4486cca3ad013813970

SHA512
4dde75f446c00bf821313fb53eb3fcad846cac6bb525abab3db3a51fc7e30f9fd74bce8735737d5128db80b911d8e67e9bd0093bae1243b9772951e9008e9c0a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f7765b3be6151c7e62ebe51b5d20c98f

SHA1
7c56f7b9027a6740eab358369e87a967ba4e57fd

SHA256
330d9179ca12fef722a37825b926a8a85fced76d6bbd7dd155e4d638c31a9924

SHA512
88429f9456ef2d7042795e946e023438b95c5fdaa0fc795dc54b6c60b75472e78e302e9f137e9670682db0822023951771e67e2fce43adc23e69733b518b2c83

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
406c36c225dbb8809bdc9e2ba998d360

SHA1
572051185af1339b201e266c71b51b4e8c9c6183

SHA256
909a9ad564fd50f86abdd83a173d2f0db527cc4b65b6c3f3a3af08c1c7cefecf

SHA512
42ddc340a97b19cb55a7c457f4106c8fdb4d422b3ca3a4bd686e97b32684c6d610c5561fdef548be09a638ace29920d9b4dc255f05a37c249e674bd8e097ef05

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5a54c18a886bb984bac461f13efae48d

SHA1
9f948be0f893b1aaf119f1bc3ff63a359b060587

SHA256
a0b65f014c7034458aa2c7557f7aa923196eae8202295071714ee3e3090252d7

SHA512
b16f9aebb7463d24dde7ef10ca4d6ea503cede1bd24b54def0b4f57ac71c1b0ffd069522eed0d5b742dc42fd25d8e72339bac380d4d36660da7df4844f213ba6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8b918b2ca4ef7f552ac8eba5a10c1d36

SHA1
92426b0755a2b0a12336b0df370b2bc27f8084a2

SHA256
0f4effddd4db5877432c90c34fa0126293cbd48da8b6861107275758843fe245

SHA512
4ffa79b11605ee5fc4f5abfcc190696465503ec74100fe42971ee1b8bb644bff2d5dcbc337639d4318a30caf35d657bbad8f0a037fc5e2edefcf2dca8d0fb35c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fb0b9283b3dabf42f4f872dca3df562c

SHA1
1054f23887b49bf9150a0f7206d1ba475d826ee8

SHA256
a24f1fb136dca871e7f17d944a48d139c59b896d2ca6967caede57a4c367a453

SHA512
8739066a472e33bc9aea797b4b89b6fcb057e08034420a463e0cb101c07d93952de7a44c6ea099f2ac8e53302a358819d8c1205a015a8e8823fa06e0bfb400a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
859568941eac6c38aece218090826b97

SHA1
369887f1e092d7d682c5a60a6479cfd74baed935

SHA256
1c1a74777fc8e36d6a68e7a9483a603edbde9f7f8c0f4a72e6cae3897c98b9b4

SHA512
1e75bdf75904039eccaa9e76f5f25f1d025f59f89ddc04875601563862b73d5a0951c5ced7d1fd0f582916cf002d318b9f2590b8c3f21accc68a6ff93689e029

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b260691d86108cb53535f6a07adc14ab

SHA1
04669d9abd57ee853481e112c8ef177a262997ac

SHA256
5cb4f7a32ebcc1a9dcd5e620ec3f1579eeb0298b41bd77486f4777b6fa97c668

SHA512
11ffd8d0cff66275772fe531ed258e115f28464a15d7013d556147f8cab9a5f274c623278956881ee5e5350c7d4a27cd1ad7cf6546221e296d11b9db65d84ecb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7c97a471b99be7996e643d7b646cf51e

SHA1
b9baae2e8b08adf6bae4c904d7862c6dac3266ea

SHA256
d574f1898dbe04951a85fdf899590b4b74d963b7e03ab583f0ac11024d9a697c

SHA512
1a9019e705a428f799c5759e6f55a416fcc0a97e47199739510c02751d8b2693a0b897a13b4797961813d9ed53ce1fa9e782bcf22b3b1d0b6363c70a47803b21

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cea3d260239959f5292e3a95613e3a7c

SHA1
46203664a659dcd177f0f36ecb400010c2bfb403

SHA256
c85b9c2b2f5c684a036eae5784e34a16f78823b4658c80134d4733ef50f513e2

SHA512
da49f3adf921fc7b9416329d3a7257a7cef5a0e44a0ede24db0470191c07b7672ce44e528720638eee5f5fdab66d4479a9c030ca143364c26329f35b585dd08d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\209c1e93-f4a1-46bd-9092-bc763f21c485.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b1fbfdac42694aa3e94934ec8aabe864

SHA1
d4c591b38cbd89db0f08740b0080fe3b30ff3ffd

SHA256
26ee0fdc10d4a8935551371c9f56c9720a784f4b2a5a60af958b206bb1ca3fe2

SHA512
e48249dc4bb9c6e7d55e9f891faad9169720dd513f1793097a7c44dea298c89f7050842c16a1594b323a9c8c69f21df630f84604ef776051609b8b7c25dd109d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c9fd9e4a595bddc3b9b3c045bda32abb

SHA1
a30861ac96bbff7e77742e25ee4fc4ea03664f4c

SHA256
19194ebe5645b55fc5ea29bb9b7a514ec59a302d3e9565c04293614fb67b882a

SHA512
37daa5507899d37d33ce0700199880916a25a9e710cb95f8acb28b6fa7a05c9c65aa53fdf959bf64c44d3af05220ae53763059d46443546d13620c5d385a1567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
e6ae84d618229ec9124fd49410a016d4

SHA1
8b01cf59682864446993110ddba7c553fcabe0b1

SHA256
6a0f37f062b69e0f7d40a54272fbca535203f42d3345de6afbb725b03c9fc384

SHA512
a94b0bb796610134e5c0ad587459f045d4b73fc5bb50c63d52892dbaeb9d55baddb1cad9f4b461e0dc5c5f7563cba736cd7593e209eb27803348bdfe6240e515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f5c0ebf009bbb599c04a76e1fb9d4358

SHA1
30c30d3205a3bd2732622201eac7e698ab1cb954

SHA256
db113d2a13c07c6cd616db2046d049d279e8fc45786772665a6e921cbdf1b0c1

SHA512
70cb78273a5445b1fd67435b07e0a2835fbc2763742ab4639d4fee1a65f110135b8923305cc517f9c62cb1d6d3fe47c1c369f862ecdc7c56575290cfda171584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b981ba8132ee2d9f394fd1e2cec46a91

SHA1
7f4d9bfc5c165083a077b9b8ded6313439e1212b

SHA256
3023cea316293e994b8a0764971dd00c87d140f8398f2bb56980bb6e4f0c3907

SHA512
4aff252caa64c270a16afa6ee35aefb0a93cf140766fab5029bb12b5c3e58efa206f0d9c8027e70fba9ce431abe2bcd6062e6ec1f30dfb78c085646b674a22fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a236e004aeecbad033d189aa4d7788a0

SHA1
1ca50a487b105b6360bc70abe465d88996384fbb

SHA256
64604ba0965a879a0d5463cdd01d40f73f8ae686f1aa8390e93c1b1048578159

SHA512
3f03f150d1a9b4b5a09c7f2e9919757c38bee4ee384e598a9c7dd49ea1cd8eef0d4b16da066f0f44c69081abbcf5dcd03819c0800eb55b66678dc3ab93e3e729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe584282.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
6218edfa275155340355ce666a776aa5

SHA1
e9eddf80cdbd510872ef7b34c8709d6804078559

SHA256
e957969e55fea8e4714701c4d378bd95ba25ac463f92049fbf81a2e024265c23

SHA512
8457956cacaab0b88e4906df05c2457210493b4bf2ca96bec607ed770826394ae38b33b1e21cf56bb197fdafde5a12b1df16e9496be7ca8affd7c408d90d6090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
df0e27979f7fcd3a83c5809d551e7a5f

SHA1
412e99708ba17b6e02b1e785aa49d048a8a322e4

SHA256
faff0066325ee8cb4a7a40a8881980918588cfcac11e4d64dd034a71850e3c02

SHA512
c7c45cde9099e731327c8be48f6ca92a165611f02ce1b1824ae21fc7b36caf22ff0d5a54b0ac3330c2c564c9c500dfb49a8c5d3f051d4ee947caa3325f6a9b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
4570b488e1bdff1ef7e52a78074217f3

SHA1
451348c1c8422e882b40a3bb48f98905dcd3dfb9

SHA256
fb5ae10c40760cb5c811d8049e3f76473c98085803d0360134f98bb27f6428c1

SHA512
d9444e7b2d7465ee201c1efd0b5400f694dccdf236e23011379b653e402f08fbf60823083fcd192df19375272d8b5c437a2843d55f0527d619fbc071ef1e68f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
18aa62d77d2e048c38d469c1e7e70d5a

SHA1
07ea2f456c92170ed38f1476bc796e212a4b4842

SHA256
cdb83a1d2f21bb9c90a493ed92909fa530cc6d570c663d876ed052f2164b3611

SHA512
c8d4e8090174a576da3730ee321f55a3153d96a136b5cd717bc68f6103b71fecff6002b507b0179aba1a69fb1b75b1769809fce5673f8472a589c0465d4c9c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
38d3f03135ddcba163e8f92a5677f3f4

SHA1
2e0f9757e06274b40ec8aaf8cef57c01b726e7ad

SHA256
13ef78e05fe0bceb65169ed1ecf0d5bc4abf9b67388903d99a9077b28f201b95

SHA512
04c5dd9f78a29254a978254403723c7bc322dc1796cce9e6fa339b09fda181af5460194cd77c751d80cbcdea34bab21353e2041d14bb2288c7cf7cac86b0d897

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5116_512938545\2405d948-b4ec-4060-9701-c1ec17fcc704.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5116_512938545\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\38e7a7b2b3e2edcd.bin

Filesize
12KB

MD5
cb2832b7a2b826b07806c7fa92ef3934

SHA1
73e1a91dc00b234bad451a1d2eac8f4d66dea8c5

SHA256
633d20f1f7579f926ad05483debd5ce9a385aa29323abe141b17f57807c7f9a4

SHA512
911f838926ca642d9efe54871e2336a383341f55dffe494ed0c11ba99d3b2f10be7627edfd680afe10d40ef19fd3950a959e65002b3b5edf7a3cdd21f47f0692

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
57a41ebf5fae4f418eca9081bb5fbc94

SHA1
013221d91b89f42e9df788da093d4213fe64641f

SHA256
62b1b82e405eb3ca9b110cbd86c3316c3d2ad5c2f0d7d202b2b00fe51cad27e3

SHA512
ec742338a6e1e8d0d1d0289e4dfa13763ab5883a45977c8906358f9a649f8c8551badbffce0a872173c47e47997951297b25d91baccd64e024fa9812ded11427

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
77b97af64f5fc2d0e9f71b97e86d35f8

SHA1
0f85212a723ba7b5305059012ecd27538fecab77

SHA256
ba86c95c80e28779bff3179b65cd7b8fd8619d3ad2f2f74066b67cec11fa4ba4

SHA512
3402562666cc912a3dd2c0f6bb99559146ce6724bac61385d676bcc7643a0a1fbb8bb64f2f75270111fd3215b3b5bd4ad49cbc3688096eed1caac5a5862702d2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
757f1cee0fd1c4e5f5631b143a2c6b76

SHA1
4c6cbe264500bd0a1f9aa6c51c9bff122e566c1d

SHA256
e43e8c304daa0dc67fc3da4c80a13ee74d22f3555040e7bf955044666328762b

SHA512
27ab487d0eb1fc9b64832de4226ebb7b9c05f2ba6de76df3a6d3d33176dab655e61a1ac08dfe10e4a6d829c4bcfe29e82e274e3086d9252e955ac48b272683e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b85d6411c81ca0a2a82282524a3857f7

SHA1
3a0e2dda2d2f9e6954c05ab98c379d114279b3e2

SHA256
b1f1ceb4ce2a5ba4d378f75509d2fd99d19dbc1e93a8a5c898850de0a5df1202

SHA512
3bf3f58c606b1cdc70971b15909f97dd4804bf5de1b7c228284151de93ff1a8e52dba28aafd81ca8a12bbcc1d2fd8e6c53864ad97f8bee3bac76a5a6c80d0723

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2a2db453c965e99f50713d704248d25a

SHA1
19733aefece3f38c3940d0a5843700623dc311ae

SHA256
95d1d4f3c1cbc9077f2abae2588d8b8aef4e09f3415c2c04059de5b615126a8e

SHA512
6348baea98daf11d10cd97f68bf1314ec3b6cfd7cafbc8ce1c1b7f400e8949b7d24c5a43edc1a3878976096b28b741c2dc8939a689e1f2652efc85d1de9e5652

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
92a5757fdd4b0ae09cc832411074d632

SHA1
d88ffa705f8e396558ffb7a0df40f414223e14b8

SHA256
4c09ef9ea2eec308633b03f1db399987fc1ad393b2c57885339e54ddd2b396ab

SHA512
765318bd28d84f4067290d137c81e96a0bf91cbcc6c1d94b94f89ccec088feb2b123e0feb5cb636c3e6216ee8056e8bbfa0d63bdab17959f01cd83269c01d3b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cea1fd1c296211a7e9e3cc1e60638e3d

SHA1
2edc47b500f280f7dbc394547fd675d783177f4c

SHA256
aaa8152a05152ae9c1c5353d72af2026be04083b8045a0ffda16af07c7b96612

SHA512
3d8fc3a7800eab6b462e314a6a1f2b539752f2323910481cfbecff0176c2193c43c039ba97571c32fbaa0ad1757b3d9a460e65c121feff0c7f7be5fedf9bcb13

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e89b57db2f4dcda9812905d92959ff02

SHA1
7b693130ad69b9f9c62f3107aaf3798f5c150bdd

SHA256
9a8ad83e0a72cd2fb8dcc2c59d1d3e852a5cc35dc7cd624b5a3c7d7d8ed37b52

SHA512
5412179eab193d01fe9059339766106a1459a528107b0f2c45e7533fce35c37c4afc55cc9e47cbd7236d68c392eb897cfe66714a21e1127dff085832addbbd3a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b2f0c2c51a4adece2a7e95e21d39fcd3

SHA1
2b6f3f51c8940288ce10582b50d626626252c7d1

SHA256
63f7613117c898b326a5fa9ce66d7025dee892849ce2ebbb71bef8b776054565

SHA512
8c0209127c44c5c1b749119fc5f210cbdb0ad26efbda886406f99c3f42db276a8da1d4e9ad504b243d77d647fa48d03cb87f6e7157585bae11b3f952e07c6541

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4f8c7050c639999bb1918e7f3419d301

SHA1
7dcad5e8900fe21b0be580730fc1979e05faab16

SHA256
a326d9cf648b688e43aeb5b6348a3022eb52647c032f343e4574be94cb5ff76d

SHA512
eaabf95c0d953aef0f5a5bcbfcbc302cfa26638968bcec0195f67934a2e953b561c0f94969c2e6a8b0e6ebeb7332fe18decd52fb8c13f3868f2edc9911d65aca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a6aff0faea08f1fab44c95cdd8911dd1

SHA1
715585bf5b94c285c4726fbf0fedf7213f4c9bad

SHA256
970ae658797807c724b79c5c3a56095813db6c3c4bc82e5288d41016447de312

SHA512
c78d113c198903009aa5165d4c6f691092296de0df031a46e5bb04664ce0f4f57415bc0d65b09e779af4426c6a22c6673941647b9181ee6760a1e5a109d68a3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84d60d32777d14b80a8c1fe01289e015

SHA1
df1f1f24f77a75f3a5d82f7f66d7d96bbb11342e

SHA256
e5b89523a52600c34e6f3c55c79d8539aeb15619c12b8b6bc5cf2e205246c44e

SHA512
123c42d9a428d742041e4d5acc9d6c20628eb72496beb6a29ecdc6221630b4f5bb014f01b00ffe87399c4aa59d32d2bb6e630b22d3ee06fd019ee905c0f281ec

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e91cd33a62bcbb010f2c3373426230cc

SHA1
f1fdd864315c36d95c3cbf7edcbd41bec59aa441

SHA256
51b357db1c5c86ad2c388c28949b7a8c565fedcc809a80de00309473e0f6b69e

SHA512
51634b9e1532c6aea0c731d6c182836a950febae7d42019bafdbc5b74355091b8499d71a6f068d50ee41a2ea1b4363203799a2dde3568735237e9d6a0ad09ec3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d2a99cb3cd7b30ac7b65bd44eac34b4a

SHA1
1f33643dcf32e52e894a2770984b75c20f0c443a

SHA256
2d776be69afca3d695c85b3e40e2e81ff2a6dd084fd7829893ce3f9d1429afb9

SHA512
2d33032028fc42f4a762c97d6d2e6d6dcb6d8e2992991ac3a5b186204f94d47ee603d07c8b62020760845ee18e26b2d5b5e7b75501aad19db2b88182b093deb4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d9cf107ba214e50d0ae57df8437addda

SHA1
cd1518a406485c91d3567ca9c65c82d0cc87b1cd

SHA256
f3ed624890e750cc82568cf2c6e3488fddc0b90e43e1b801f08125d87d4cba69

SHA512
45f5d3dd336e2784e2a43dc5363f97d03b85c73911a4aa1737b2163c8e96bcd583e46388cc5c334037f8def9c715d62ed55b304f580c53350a6b425eb519e068

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
99c63345631019aee72985e03dc67490

SHA1
68c8020507a017058930342f8b86f1f53acbf1a7

SHA256
efeb43c00c5cc401fbc0b33edaab39ddd9399a1d2ec23e686f63ff82d734df76

SHA512
d1d31e2f52a7e7b53e29ad9712c9013a8dae1b800148a341041920e943898d62605f3bd3d125bcd153e5ff810d97e74b74e414ec4e70e08ea839aa3d7b9ff96a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cdaf9ff7643ca678dff64365242b0328

SHA1
dc3b5a98b02fa7f36d3ad138691204d516845fa3

SHA256
23aa074406535e76a54e523522f4b0b9d819d88d4061878e0351a3200c7c3a5e

SHA512
3e19b6f0305804650722cb9db384256e5297ef4b6cb3f073fc4d2da0c8639f7225f47a05215d437370ac23e7c20ed6e4cbf982daf473e4c0df276c37799022b1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
139d60ae48ca3d50bf6c1d1a97795913

SHA1
757a0e0d7d484548031609d516c45ff9c4207338

SHA256
065a9693dc0728ab47089ff78e519672277a4a5ce1db4f065a17d31092209d81

SHA512
6c09710dd350aa1431672dc2c2250bb694fb988561df6220124f1a9e8e159435ac246f29d5b3ca20fe8e7feea8b8f863b9ace3a84aac87547c4264f73270d4aa

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cf23b5abb39ea98c1e40cb751d6ac6b7

SHA1
1f41175fdc9380c9514423228bb6816c154285dc

SHA256
1e4c143adcf9c86733970be6d0694cf310c29c1b21fcf48eb0095cae9df25dbf

SHA512
6c2f8837caabd673f0ba909e397cf37bf5032af03f84a30783b1addbfe01f7640f77c7463890f5fe4095c5cab0e8a44ef72f49891e9e602f5eada5f199eabb79

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
17b1ce8122680486cdd34ea835aaaf01

SHA1
e767bf63f9b16d9a8243b069a826ffa9106e99e5

SHA256
2e8b192b873dde9d5d17ca47dfb5de25dfad7852e4dab16805086eaad87baea2

SHA512
3138c41e91fe6f3cd3163091e105795be6605ff89f3bd31595475a9fa304728296deddce5e683c013d76c0808bb2b712592ce94ad497baa10454c3bdca3441db

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e325a0a8ce67cb8ec36896bf222a2aaa

SHA1
f54921103955dc751fdaf8f2b7ca7baea90497ba

SHA256
67d04d35728c86bf17aa47061d2c8e86095d2daebc2a128ac3ade9f8e2abab55

SHA512
4020db8be7e5928658d60a55e9afdd54df28d9a0285919dbb069b1b426c8178b17d74dd66541ab1122df2c346f570052e956bea68dcc63c2b86010dc499d8d68

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
dd8d95ab64d7545722f1b99e90abdf95

SHA1
f178433034f479f3ba012462b4ba54c20ffffb64

SHA256
7526213c73da031ac5a0128d6b3ee3b2e1d9fb37cbf984f2c546acacbd6d787d

SHA512
dc3097a83f635299b63350b3204e83817a3ef9af0090c47cdb6a02617af24cf09a1cb6f8080f81d08450095e669dca35eefd091c7186018963229b70b7882979

Download Submit
memory/400-318-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/400-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/400-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/400-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/908-349-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/908-112-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/908-118-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/908-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1432-104-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1432-345-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1528-370-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1528-867-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1724-120-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1724-17-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1724-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1724-11-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1860-126-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1860-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1860-353-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2548-21-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2548-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2548-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2548-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2548-6-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2952-374-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3012-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3012-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3012-99-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3012-102-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3012-96-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3176-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3176-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3572-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3572-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4196-184-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4196-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4272-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4272-43-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4272-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4976-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4976-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4976-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4976-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4976-107-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5124-367-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5124-866-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5140-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5348-315-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5348-427-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5520-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5520-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5728-334-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5728-630-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5824-346-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5824-668-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5932-375-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5932-879-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5996-350-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5996-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6040-359-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6040-843-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6108-865-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6108-364-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download