8def3731071c3254cab8dd56efba20fe42e7c6e8c50ba888be29a96cb78acace

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
Size

5.5MB
MD5

c81081dd4908c6154e51bd8f8986ab62
SHA1

55fa1dc592536f954773dff3dcb7da10e869adb8
SHA256

8def3731071c3254cab8dd56efba20fe42e7c6e8c50ba888be29a96cb78acace
SHA512

460fc984cd7ba411721c48e526ca43393f03a6cb2e938c70c1ee14ab7a7a66c278f4c6e3df76f5c7fa4f6916037185ff651463384d288f8d90b7cdc6c23ecb6c
SSDEEP

49152:2EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf0:MAI5pAdVJn9tbnR1VgBVmfTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4348	alg.exe
2140	DiagnosticsHub.StandardCollector.Service.exe
3852	fxssvc.exe
2272	elevation_service.exe
872	elevation_service.exe
864	maintenanceservice.exe
4544	msdtc.exe
3360	OSE.EXE
4364	PerceptionSimulationService.exe
4700	perfhost.exe
5248	locator.exe
5384	SensorDataService.exe
5532	snmptrap.exe
5668	spectrum.exe
5984	ssh-agent.exe
5600	TieringEngineService.exe
5492	AgentService.exe
6124	vds.exe
5844	vssvc.exe
5912	wbengine.exe
5924	WmiApSrv.exe
6056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b22ca088b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040d76d2144b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b3e9a2244b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b79e21744b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067b3631f44b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a53f891d44b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e631731b44b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618442657966496"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef8df1c44b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
4024	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
3708	chrome.exe
3708	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4948	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
Token: SeAuditPrivilege	3852	fxssvc.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeRestorePrivilege	5600	TieringEngineService.exe
Token: SeManageVolumePrivilege	5600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5492	AgentService.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeBackupPrivilege	5844	vssvc.exe
Token: SeRestorePrivilege	5844	vssvc.exe
Token: SeAuditPrivilege	5844	vssvc.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeBackupPrivilege	5912	wbengine.exe
Token: SeRestorePrivilege	5912	wbengine.exe
Token: SeSecurityPrivilege	5912	wbengine.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: 33	6056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6056	SearchIndexer.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6056	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4024	4948	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe	90
PID 4948 wrote to memory of 4024	4948	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe	90
PID 4948 wrote to memory of 4688	4948	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe	91
PID 4948 wrote to memory of 4688	4948	2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe	91
PID 4688 wrote to memory of 4416	4688	chrome.exe	92
PID 4688 wrote to memory of 4416	4688	chrome.exe	92
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3224	4688	chrome.exe	100
PID 4688 wrote to memory of 3412	4688	chrome.exe	101
PID 4688 wrote to memory of 3412	4688	chrome.exe	101
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102
PID 4688 wrote to memory of 4004	4688	chrome.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_c81081dd4908c6154e51bd8f8986ab62_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9eb3b9758,0x7ff9eb3b9768,0x7ff9eb3b9778
    3⤵
    PID:4416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:2
    3⤵
    PID:3224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:4004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:1
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:1
    3⤵
    PID:2620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:4128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4656 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:1
    3⤵
    PID:4184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:3916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:5132
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5216
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x1e4,0x244,0x7ff7759d7688,0x7ff7759d7698,0x7ff7759d76a8
      4⤵
      PID:5324
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5376
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7759d7688,0x7ff7759d7698,0x7ff7759d76a8
        5⤵
        
        PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5600 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:5772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:5868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3968 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:8
    3⤵
    PID:5440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1900 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:1
    3⤵
    PID:6588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1920,i,15063918620421025327,12134933549517039108,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2168

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:6316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
93acc3651afb5c60e9f4e8dbb2690c6b

SHA1
e9fc31a904b7750826422ac3f1edacdf2d81ea9c

SHA256
68b87561e5c959a49665484d2673bf88e8d8b71b1a078078024bbe46a700e4fe

SHA512
095e2f815f8c1a6a7a034ce819bc695d98d25db7ef307440e48eec76341d440ef7ba252c9d07c67c5cf4322d1c03f2b88cb378d3f09edafc45f52bd322e29716

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
458d478cc5de1b44d4e77298fdf5fdf1

SHA1
59949c1fbc2a18c6889748cf7449e5154f7081ae

SHA256
bea3501a2d52cb38e90154e4fbd06fa03343ccc63a4de1072fc7631e4d809865

SHA512
2fedd39355be08d5bfad1f61566980ccd0601ea03f195b5d23046b42075fa81fd842482c27f3dcf6e1614d2444222279e36487f196c7f5409e99338f58462d3d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0b5794da6fe02c1b4bf747bf82d1cdb1

SHA1
bd3a115e229112cd8e25b1d6d3bc03ae76a86844

SHA256
be083f82305aae8a4fd1b054be2768e7b48de5768f1b30dd51391d850bb689ef

SHA512
2fef82dfd8e2f1a6621a259beaab554dfe206ad27931b409d9b8b64481f8ebb81d3bb0582293e65095ffce0bf92cd8c3677b0f1e746bbd2935555d2df2054ca0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
57a99eecac14bf9dc4f9e6589c69da2e

SHA1
849e19f849084bc0662b8defe9ffb4833e25af32

SHA256
94f6a2aae4695f4dd23566f2c5e999b62d227adfd2437412cd87a73006dba555

SHA512
1716d75ba1425f91439227d3507d1efe83c825456477663c53beb0bf3f68575747c77a30124d0b3c9eca5a70bcf9a91d0ca162fc79ef6ba51fa307ae5afc8d51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c5bb156a54dfd740400129e864b667ba

SHA1
d1b696468a9b8b772c8a48f96dfb29b76e4b9ef9

SHA256
13b24fd766746140906e69305c18581ecb52b5d9e6a657cf17e4087c06d19527

SHA512
b8a7ca9de782d409b34e345f224bef2aa46fa2ed5ce6bba88ea8a5cfbc67c80aefdf459993666e88c4625065e8db36874c752224d4f05191dcad9e6ef259aade

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
64ee32eb01f826f4f8516aca5aeee091

SHA1
1e3741cc9490bb04a9b3f37c9e7b860e0aedfd27

SHA256
31856cba70037ccb4a154507347d707a93c3db46925c838c5ef13e96550f1f99

SHA512
f6fd1335bfe06f2359e5351415ac943133863c14db9a382e9bd82ed5ad0587572131abee04896ff923063f32232fbc7c709cabc8c64138cdbcf0f4b0fce6b50a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8e6e7d10a8f8cb372c5846c6a042f33b

SHA1
66958019bffa9ea5dd5ae017ab2e1d74d1f70f48

SHA256
ded644ba19375e39e00c968ebb60225f53962f3c64d628c317c0afbfa9533d67

SHA512
bf74b5c1acb6372b6ec2ca2a4fbf505c85b1649329d6a2fbbdc729d6cf88f6db5352d244145c8917473582ae79c26a016e2ebf576bd98fd61b80b607c5167111

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a6f3c2ef0e0c2970a7026dbe96c741c

SHA1
bb3d53fd9a5007590c1f8e1c4ccb213a9f38f42f

SHA256
b33f957e07d0c2a7a8aa65415c0b09bbc4f0d6f69c891e2f235e3286a2a7545b

SHA512
571ac28a22aeeb19187cb3929635660848a772770b58e1e39300733aba67000d6d5f8483aac376c73127626a247a205ea22e5b658637376509e29fdfd34064a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0a5515f48f67e171cd8f7f8262ef55ac

SHA1
5b9a4ab490f366eb2cdc6c91ecad09034d7cfa75

SHA256
eadd5cabac023e18f959998d82c8e89771a2909a108b371a0449644a59f96625

SHA512
75f70f3800be24b1a3fe3641de1e7c0fefc5553da7ab129fbc5be99662fb4a5c3a981a7ecfa2379af1b860ca447c063cb0de15ad60fd1f10290f9b406731c00d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c898b2c85cd98bff83f2378f5bf152f3

SHA1
9657dae2d484813d034d2ab8cc3f906a09f8b211

SHA256
d0b4da94b85adcde17f46d93f80f3df665ad7bf2c3a5dbfad9d6faa5e247106f

SHA512
d901c36bc2e45f8d927cce7ded9344f65d2f65482bec26c645c8cd365522272f472bf0be0525a53cf7023a7a437cee148920502bda0ed54fa4c930fe86dadf66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f155d773e68fe932d4133df975fc0cee

SHA1
a75902c3bab43635ddfc34a0d416995c43ed859e

SHA256
6b54111941f753a275946d676541187d969ea183c0e519db6e260650158194b0

SHA512
1062ac26159256b28efd6ed24020f9231de8aefabdbfaa28d280b8bbf6d777ecac87b672c9b830372734de98b1084328379976c83b8a45f16017236f659b183a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c439587e206fd429a252999f5b48325f

SHA1
e8712058fd547165b5058d548f78547223a1de3d

SHA256
1c3054cbcfe26e127a8066831a221045e54dc7fc9ec3c73e18b52575b342102f

SHA512
3eb4edcf6a79e70edabbe201e5da21c2080d7a5e3a0878dac9499ffea2aa42e3163998ac32356294ae405fc2c8af2aef776597f0421667f57f46d54800d010c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bf95c5e74f4108b9102390930f63bf2f

SHA1
77f310035b6e75fd8b9369a37a9c55c1fb9ccf64

SHA256
c80b0541fc8ad7fd65b4e3ccfb946547663980791e3e6b130abc6a891d57c994

SHA512
2254f6124e5af6273409e8c9bd559522b9ceae13a67d9d46d3e1dd2b946311df981ffffc214b22d55337d6c8588277217b6353a2fead5997fb7d3f98a95ab832

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4483852305ea04ca0ffdd16326850394

SHA1
245ced5e5e193a30c7e6fcc5553c5e5cbc754323

SHA256
c145dedb809cd282cf3fe19f707c011eaba63da59babd93b93fbdb760f2d9ab8

SHA512
80fa0f584b06ac5651ac021a682b711f3ba439ffee1589ff6d1a202c34544c1116bc2fb3692a58d163bc5e50f7a0b4e28da56e9a35d4ea5e5dffc43eb07c3905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ec7827d6c1200cd64ab47bf7954945e4

SHA1
a2a68c4c15853a8bda105ad5f313b70404fd730a

SHA256
73f3224733b1dc854a5872511065ed24955bc482d74dfc18f6ca2ec64b4a156c

SHA512
477f83f166028f6d8722e93731d033b4d5f026db2f45ca5cf068c45b90ce1cabe3877691199d35536336e75f850c261e9b85dce6617e7b1bd1eb9cb184711ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a9a08acdbc43b0b75b2922636674c65b

SHA1
a03765c52a17a9d45bfc85859b1b339b493a3791

SHA256
d1b4189315043aa1fb7ef0626db943cf0b5bc18648c84561d0be56dee70c4d97

SHA512
a60adf5665d2b0b0eafdd52dc1049fbf25cd7c310f02fa5ed03124b78ff994175729ee1d89decbad598af39aecd06c52534c421cfc22f8b6cc479481968f0897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
75c65a207402470cac320eef0c4b85b8

SHA1
fb3838bddd0c3993735e44f35702ec3df554092c

SHA256
035939e2e206a88232567abacf61e348b0d5408325951a476a8f7fe44b955689

SHA512
ba4a158fd5f1a25b1f5a5d3b1acbb214eae9a95669c61ae1e273b9a12a180da3e26e9247172f0e7aaa31d3384d7e345536df0c5850b22899cc4edc6829b5ac58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
74c15d94d5c6df0c9a76d04de948208f

SHA1
1741161520fdcb33d7b8709984a417001ac6b5c4

SHA256
b611231ab150104393560807679a13351c322b2fc009336fbf72dabb8bab73c1

SHA512
29f66d50803185b00a80a9044d17b481c45d4f7555768bddd083b0df1d7f5cc73d57a7842d4f3b429903031be38d01feffcddbdc3922690d656ae0359e5f96d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
900b58655cc8ebb2f53b4f053ad109d1

SHA1
3ff98cd3ba736a2988be14d5124efef671e139d2

SHA256
55b0a9b9625d82afe9e9e1a03a540ddb1120dfc65dce6461f4b56f8a7ef7815a

SHA512
49eff5ba8ea21870e88d4a1ac8919d3167ff4a77b320d68e90209fead6e6e09b110ff3067e5d858ea9599cd3a6a2203e0a44706d14abfea2101af3c8f4e25689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e1db7af3225aa29cab4333e7d7cc0823

SHA1
35f1361b019dbb62fad6d15aa9137e953664997e

SHA256
20b634d30a63b8c257a1525801dd49771fe5506c9c8227960c457ff68d4d3a95

SHA512
450ac710f0f8f1abba410f49feb6f2d38e9383eb32f982cdc1bb8eab6c74ac5f8264c4c129f742f55ff9293a8f589e32ef16775a45cad187125d0f255c674e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5810c4.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
eed5e4d3eb0ef75c96467a145ac21150

SHA1
83410f94b0601cb00257870989dce73c865b6564

SHA256
6fef49fb880dcc94691e7474a0dbe3448146255a46f9fa6b781f2bb92978f9c5

SHA512
efd2404664b1106f3f813b6933ad5afaa98bcc621f37242c9b6317f267fd4eec71f698a4a217f688aa884c19d89b7632f6595886328ac08701297c9f1a44f976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
e465b102a7857e3794075c5798863005

SHA1
b8d141569e5a4dd7f1091f1ea2bf1fca85f82d34

SHA256
83b11e66e7ee616b2179f3a6f5470e65b248dc227db813710d67ce64c8adffa3

SHA512
95ee6eefb53ac4b229360ca61f10a246946acb5ae932eb257359d1c2ed6fe7c73b5ad44a60c5c036d9498105299ef86d9744767ddfd7f7cc6c5d311a37df930e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
cb2bf7a7cfca899b52489c8c033e9ac6

SHA1
bdd386ff514ca5964e4a0bbf28a3b25ee29aad37

SHA256
50c5f3e325f7bc6efce502a46b0d312394f31717677b5d3e843efadf462ff0a4

SHA512
c40bdc4183a37f22458022bcb758fc0d1d3368af876c5209854e953815c2f76832ed1a819032d9e23fa86a6cde766535d523c063ee350932bf0b95c3f8e70685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
33137fdccae221967ae33eb33b0c0aa2

SHA1
e5e268e33c6aa679832f2f927123f32bd1be2db1

SHA256
572cdcefcbff6178ef2c9fad9d8a183496ce9e962d0bcb31a663274f6a649ceb

SHA512
2b7e1d588de55ba0a69e09cf45fe9a2dcd96edb191c8a5c7d2962bfd587bdc3d9bc98d226b30390795087a162c00daf130def52a8780ce0e6323af49fc426223

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
c84f69dbec0b9102c2ad9f3e91888437

SHA1
cd157ddf8a502d26e3c50f4f2934b2bce936b6b1

SHA256
9d81f51529e3db63c0d6acf64445a66f0980434e9e5ed9172adc2cc96f77cf3f

SHA512
321b8f38e8898ccac32c0971e839ffc920b425a9b87b7ab83ea155302cbfac43196249a48a1916dd7bd9f56d77fbbd30690bba5cf244972ddc5058544abfb406

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4688_451246352\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4688_451246352\c12ed53a-70ef-4cf6-961c-60dc02e8272c.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\b22ca088b3e2edcd.bin

Filesize
12KB

MD5
79b907d356b27da4932086681be7d890

SHA1
5654c6632d43c9f2cd3d264d6a372a52dac1eb9c

SHA256
4b8dc5620c2265e66d5da19dcbc15667711c38e7cc92a30feb1317e941c55a4a

SHA512
724723da97d940d627dd0df9adf7b13c98c7ba1a6202383cfe6b359a7438774bece7743664efad0fbff6451b2df94fe3d06278f427ea61e68dfbb11bf45d7f96

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2d83c63e0e3cc035c2fb6f734f570210

SHA1
ce8263a3d892e4efcdbf66ed94f3ab579dc374ad

SHA256
9d66964b71c7112f18ed10bd9d8bfb6e1197b57eb0808b140dbe95e70f8942f1

SHA512
a8ce2cfc5f9c02847823fc640bb71e21c24e13132de734e0c51ea362e819132fb045b421e2e603c86c577f0347fc2cb5053b7db25ad270dbc835c08a38992a3d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1ee757926da2283fab4f8b8cd876da68

SHA1
244c595504af628cc246ca0db8afd743c372757b

SHA256
07e56a1687ce332bce1664371826be6d5912898b16eb9e3df3fe28e172af935d

SHA512
444591cc806f05190a0e0c4f277c02f50db0d5014d5219fc6ba466d9c040bef86900b26db9d0d3449cdff9b08a7fb4b7e0fd107a9ca3c62d8c467633303b04f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2dd081669c38c1f783afbac854d538d6

SHA1
5202f1d4e977b3eaa4c97a7dd754858cdcf60d31

SHA256
87f96edee69121f19f63ac461c59fc54970f7445b0f808db1267cdf7653cee6f

SHA512
4cd8db6b67994ba46e4a0ad7c149956276cd9a13d87c281103f241652af185ff1bf6137dc4c2c69f8654fa507a957cc2e3dfcb14f060790594df99c6f046ef38

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3a86d9f0de57cf696530fef118b7c6b1

SHA1
db60938abd3a8abb89006b941db6ed40e1da7092

SHA256
11fd647c9525288e2497c0d4d582d0725917e3e33494881a7f3f43f3af65f874

SHA512
d87c1669bad10f255d47acb34c98224f3c1983acababd7c55b294cd7bf6d5b68e2f3c1903f35bb2fa9c102de86c29877f11bcdd439ca29fb17f05df61a3f8af2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6adf7cc715374817ddd646867877b0bd

SHA1
2a06d2b9a74c90a94cbdded968adefd71f424ff2

SHA256
f09caf2222593651a1c0b39b8be03806ac7697509865c71648526e6a2c8c84fe

SHA512
8dace83643cf852141489267206100ee3b5d6e2073d085886006169164a3c953419f0e6014a7fca347d60d73760093e33122f5ce86e6c90283f7eaf2e9784da5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aa24b27808d31b2c715b2640328b9554

SHA1
0ac3b6d75688faaea07587396ee8b9783d83529d

SHA256
e67d7256f5997685d8adc5a117d6bdd83c860b40fc31b92138359f3229dc5c5f

SHA512
916caf0dd95e3de8a45d4518eb53f26419b77854efa905094012b0f0b8237783f38b03632f418c40e308932864cee2a2a7b30c6739b8426dc82f83ee921e6a76

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a0d5335f06f57ef56ff6c1c987377d3c

SHA1
7f0a036015ee05e31c4fa2e8857af705f49a6b13

SHA256
dca971b0082f34c4f4975487ac3273095095909751a587e8004d526e1fe9ac02

SHA512
4f875f8dfbc0fdb3d50d2058c480e57ca44957aa66c314ed6e5c7aa8becdc3dc06c381f5d0430dc134d76c86ffcdd6716abec13c7a21716f49fa1ab94a22c60f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b498da9e25e10e76b5818220d1b24203

SHA1
db1fee1a508574fd757eec18882b40abd2091c40

SHA256
cc0e17e85f6a10de1180f8fd2923488f1d975e1d32d58db9bf4b7185478926d5

SHA512
635f6473d7802e0d0b0c0e8c62b45c771de2c41746c0430b53a7101189ae7c3a24f08129d51eb0645c4264c9744016eba39e6585ac32e1a85746a9674d18bf9b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
77ab86471085cc66e1fc7a67cb3418d6

SHA1
3dae994ba37899d133188799c381ed8ab3efecd7

SHA256
da31676257cb1c02b666001da697d0991e5a3cb2ca2c8b07ef77004bbe688130

SHA512
64016d2972d561ad029162f03d22e182aca9f8bb6ee5999882854e909f5c44fc7b993e2923f13ef46cb293559a34662e09fc02d301ebf76de7c938359b07296f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a65606d5f9d83d106ab9948b50568b35

SHA1
74ed90a6e3f1f3217cf9481bbf4527dc01e1af93

SHA256
b6d9429fa402d1fc61cfad184667715019beb2490ae257640976838e9159e016

SHA512
813e0ce192c4a60c4110cab7d62a7182fcbc348509658059cf95d815a4f6faa5495b5638ecd2730e7a30cd7f3138b1c851ea4f0632f26d39c3c5847546c5470f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
35ed7179f88a55e2f153df6389f1a086

SHA1
f191dcf7a671c471c7d288ed4601678d6e9ad03b

SHA256
7f9cd88c3642920806e0300291d25f4340231a9228fea014fb53fe6bebee5e36

SHA512
9b85b6b32a4e73d0aaadd220bf1082ccbb9783fd36ae9c9f41b0868bfc148f0a45b83dd68305f2bcf64e5666868d9895b0e9f602b89437074009100057f2fa74

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
02b9c63bb3c6c3f0c9f5095f296445f5

SHA1
4c5d2ee12dc90abfe9147dbaacce04cd70618fc1

SHA256
2e028dfaf8beba56d6026f4071660f2702ad3cfa5808faad3056f8f2b0221398

SHA512
e7f17c84e4a96901f1b30d1522decbfd19b6e84c5d5c61825cc68047aef95da96e2696bba26b90f5f29ef5fdcaabdc8ccb2069680582521f5fe2a3031358397f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c9cef92a92548ad68ba2afff84d6d090

SHA1
8da5266dab68a28885a4f35e0ebed96a9a159935

SHA256
c965321a599ac8efb6c28a16881c4e732cbe7f2801f02939a2664d764b720c6a

SHA512
e8639a1a25606337bdfb86e1a38fd8b82edc27a678c95b3ee929d0894304fa29145bf22f6a21fb940b31661ec85e27ae2cdb2a92ff0db85b0fe88bd358da0590

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
163a4b51784a57a1eb8e9e26a49b49b3

SHA1
7125156ee52d3fd8321377862b1207352005896b

SHA256
460104f7bd4dd97f30ba73c14d30b2a8535a707047f978d8ce5ef1db064840a7

SHA512
ed706d0efd2105822192e3c2e1a1e12b9749d16b1457015710a7f5d080fd47eaaf49615556ca9292ceec61fda24012e4965ca63859833dd9ebc840c82c669b97

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9eadd12fdb4f27b80eafca38506015f

SHA1
5ad98f03bc2db9bef4b7880dc25640eb975e2518

SHA256
3493295e7aa98fb76a432b8255fac46a5992fdf8fc740a113e839cfa779b4ebc

SHA512
50fbb3bbf4434b05e319ef99d927d902689833f630f9d46b232432aaf642dd813d8e416b5725a0f6e5843dae4e46e3d4577880fbc8d7b618b12cdf407fab7dd7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0dfeb10c875ed08c7df6df240b65b9b4

SHA1
3ddef733be65d571435f905921115d95e0007610

SHA256
580a2e877fa34dc43968f9ec8ee844c8d973835d8cf58dff08c30269f16826f9

SHA512
99d7181beb3614126de6b5bf6292741d55a88d5a8573c50e08ac80405871bcdf6cfaaa15b8372ed88edccbfaaf66121aa7be9b0ea47e53dc7c4e70c886faf30a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d24050588a1df26d94adfaa0e3a279cb

SHA1
9fe4774abb04360c53eedd1d983574810435545e

SHA256
fe711fad3b03de966338dc3fba8e549e3ae49bf36193a1e0f1ac72381f4b7e6c

SHA512
5d79e4b0c3d1ed636740b42f2c5aca82068f3024ea5a0ade7a1cb29776e8b206e3da2aa204e1892e9c2ea8f66934352d4e2b7a8fd82fe4f7be1cbfed95f6f362

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2437cdbb874ced1b32343501afc511e1

SHA1
e4324bc3d4561dcdaf609aeae1d31f1dc100f8d1

SHA256
7c8a9e9f4de1dabb70dd2862ac9a80691f0018455f2a269b4c5fd3fae64b4da6

SHA512
5a9391e250f531b641b821084f73009b54e6ff89500551a2c5e02381d0b9be34569e5435574008d7bd48720422b0860bc2c247a15d51dfd970e0cddd752ba372

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f7c4f0c6fee0660fb385ffeadbfe8b8e

SHA1
e26dd1425369516fdc67deda1a7762b76effe971

SHA256
d45aca8ba927dc006dd8e7ae23e3131c9b05745d6f14be594abf3732fd52081b

SHA512
a1ffc1424e3642d9cd7638c92130b952a2112d99ce8ed8d8365da40941a9bfded7276f6e43c33ce1bdf1aca94f07de71414f745056904284877aae13a7219fa8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9734aa668c9d65ce5d0c165105671001

SHA1
c251a846399060f873d46a087cc9a1a8678006a7

SHA256
2004c484e0a93d34349a9d79be7a84382d64861465105d84b98133128edf56e8

SHA512
3dcf5ebaeb0f92a67cac7ab528a890334c39d7579f6b8952565edb731cf7503943199698ee85fb15cca6c2035f95680f24f144bb74a2da661aae9168fba1a472

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2d148d4be5f2fab29b94043ec5e81adb

SHA1
ae92298172fe71a219d3102ec6697a4118124bd6

SHA256
3745329df4455a963cf6c66698598acd086fb50ac9ecb59ef83b3e98505dd7a3

SHA512
94796927bff9e68f29b65a0d01ff26b225e2e0735e46c0e9a01e11fc91a0d9764319d79109bec5cf0cd4f0d68c461e9ef385e9c976669e70e14495bec6b2ef48

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
d57476f543a0b3bb4d5540821281d52b

SHA1
2c09d95733962845cacf47e02f37fc2ede2c0d21

SHA256
b1e6f121e79b7f76dbfb6af943811325c006821952c744fd1ed459596f05ea72

SHA512
3804579aed0bf3d265cfa24fe3ed1a88908e16bec6fe9519340c76954669b42b74d0518f228ff8953d923e30e4371b7ccd49a760b57344df75814b7fe9e8c3c4

Download Submit
memory/864-126-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/864-121-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/864-112-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/872-100-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/872-104-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/872-307-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/872-97-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2140-210-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2140-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2140-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2140-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2272-76-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2272-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2272-69-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2272-108-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2272-72-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3360-159-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3360-396-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3852-79-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3852-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3852-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3852-64-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3852-58-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4024-120-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4024-11-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4024-17-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/4024-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4348-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4348-34-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4348-165-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4348-40-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4348-41-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4364-417-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4364-166-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4544-129-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4544-378-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4700-194-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4700-429-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4948-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4948-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4948-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4948-24-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4948-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5248-441-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5248-211-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5384-687-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-462-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5492-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5492-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5532-241-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5532-651-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5600-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5600-804-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5668-740-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5668-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5844-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5844-820-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5912-855-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5912-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5924-442-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5924-965-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5984-310-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5984-781-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/6056-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6056-967-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6124-397-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6124-817-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download