15414a09fd3108d08298fe6bfebe6a8392b4e043813fc4fe1685dbeee5fc5774

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
Size

4.6MB
MD5

038ad4f1c55e518c32d4452a15ce8810
SHA1

fdb661145eabbc7d41b0dbb0b63d2d5c29557b76
SHA256

15414a09fd3108d08298fe6bfebe6a8392b4e043813fc4fe1685dbeee5fc5774
SHA512

27f272d35b4a71c1dc818ec449b5095d1687d4ae33506b4a9157f97ced2350639c728dead80a76e49d74db7a3855f25d3f917f347df837d8a382c80867188961
SSDEEP

49152:2ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGg:s2D8siFIIm3Gob5iExJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4800	alg.exe
5108	DiagnosticsHub.StandardCollector.Service.exe
3624	fxssvc.exe
1220	elevation_service.exe
4492	elevation_service.exe
2308	maintenanceservice.exe
4524	msdtc.exe
1972	OSE.EXE
2808	PerceptionSimulationService.exe
5240	perfhost.exe
5496	locator.exe
5548	SensorDataService.exe
5760	snmptrap.exe
5436	spectrum.exe
6076	ssh-agent.exe
5124	TieringEngineService.exe
4756	AgentService.exe
6008	vds.exe
5492	vssvc.exe
5828	wbengine.exe
5648	WmiApSrv.exe
5568	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7bed6d84b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2e12b8122b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7a66c8a22b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000237b1b7e22b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064e7558222b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b59d8e8422b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c921e8c22b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b35648222b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007288bb8322b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a43f8c8c22b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e0e128a22b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
3824	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
4576	chrome.exe
4576	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1380	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeAuditPrivilege	3624	fxssvc.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeRestorePrivilege	5124	TieringEngineService.exe
Token: SeManageVolumePrivilege	5124	TieringEngineService.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeBackupPrivilege	5492	vssvc.exe
Token: SeRestorePrivilege	5492	vssvc.exe
Token: SeAuditPrivilege	5492	vssvc.exe
Token: SeBackupPrivilege	5828	wbengine.exe
Token: SeRestorePrivilege	5828	wbengine.exe
Token: SeSecurityPrivilege	5828	wbengine.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: 33	5568	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5568	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3824	1380	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe	91
PID 1380 wrote to memory of 3824	1380	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe	91
PID 1380 wrote to memory of 848	1380	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe	92
PID 1380 wrote to memory of 848	1380	2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe	92
PID 848 wrote to memory of 3860	848	chrome.exe	94
PID 848 wrote to memory of 3860	848	chrome.exe	94
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 3160	848	chrome.exe	99
PID 848 wrote to memory of 4456	848	chrome.exe	100
PID 848 wrote to memory of 4456	848	chrome.exe	100
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101
PID 848 wrote to memory of 3628	848	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_038ad4f1c55e518c32d4452a15ce8810_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c009758,0x7ff98c009768,0x7ff98c009778
    3⤵
    PID:3860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:2
    3⤵
    PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:1
    3⤵
    PID:3888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:1
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4056 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4024 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5500
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5688
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d2527688,0x7ff6d2527698,0x7ff6d25276a8
      4⤵
      PID:5716
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5756
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d2527688,0x7ff6d2527698,0x7ff6d25276a8
        5⤵
        
        PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5328 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:1
    3⤵
    PID:7056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 --field-trial-handle=1908,i,8841623271957410310,5929837497196801938,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5568
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5960 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
33f55754f23e81f76a908974ab178c6d

SHA1
5df52f6e403dfa89db489921aed03a2f355e6154

SHA256
43bcef93361fca0d172e917aece0d81d9e4c130379faa232c225e416591e01b4

SHA512
4c65dc86761b645e01d0d7df29ad7525e6bca9b0dafb71fd5f1cb64965fec08ac2062d74b79818147fd505302f5f54af1dd5b8d3a4e3cbf3063f3eb4387c1393

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
2834673fa5284b1b1d55b2e13ad2788a

SHA1
70b099565d9d6507e6ce6951e6b26c2a9316b5f6

SHA256
91070f8cf3b709a4c5b72074ba9ecae0061b01c152d1a41f87de663161160590

SHA512
ad6d7bb7a6c9222254b5b8ee5588c1c3904a44f685c4e4cdeea3e1200440375e6a64688b54c5e6d323bcf6fe0f20325e3429c77a98a249d07e1e76a8c58a2765

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
190d79f01dc3a6cd7aaa9dc3d14c6555

SHA1
d419b190cda5fefc3b66b22a7c2ffcbe13e57f3c

SHA256
908e06a3702f6457f494d6adee5ce277f094f34ae3137e421a769ce6b89ebc8a

SHA512
508500fd50e1ab0c7c0e9aea01c3e592473b4405776ab09e2869b15213b4a33494a63e48fd915285c93449013abd6269d1b1549cbc536c3e45e12a1c19e3cb0e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cd59a44c02014a3af4330198d134c268

SHA1
86cd6153fde6a912f983ba8e9321320e8821ed3b

SHA256
bc61b936339db92c4b3931e4da88b74eaaedfbe11de42d97f85107930101f13f

SHA512
5eebeacdd2aefbe420d4a325314805936f2bd82739ff23f3dd2d74c5ae3156d67f75db62d3829891a5a95bc24576acbb942809c92ecde815cddcfa6fd052d42b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5c65d4e44d1634845a44f4f2a6028bd4

SHA1
50b1f686f018dc7c010342302d05f09a49bdeea0

SHA256
f14b2a34683689716154ad52a6ca09536f695fe0e77cd7d8404e9b1c9b45fdac

SHA512
554a54ecca037fdbe0a8e246f81e729f184e282865e0f2ae91401441649b8dfddd2c0baa53a9bb2fb685b193e20846f5a373a77ddb17d6a78f08f8aa89ea4ed1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a5a2c8d8408eab7c768debf7e76670e4

SHA1
a49bf0614737d6813e6cd1efe801a0b5c16ca128

SHA256
531d2e1924a8028e5b5166b4736d7d9a69e32874e0d49a7b524de9e9456f714d

SHA512
73f06c21fe2d98dfcf735e5f590e64554b62275172475a9dcea37e3c6caef69f07427f8106c33aec811e7d6bbe259b6fab659909c459879a59a59bb36fa3283a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d1f932a39d722ff5f7fa37aceec7f78b

SHA1
4bf75374080544e05780b83eecad8570b47e2c87

SHA256
096f470f30e41835878daa7bf75da379841323c451e38e6ba5391ee12a0477e0

SHA512
4cc467b3aa72f4d81723b39a3aca64c8da0c24f2ad9967890adadfa8fa1e687b2da63f8355ee8a230313d57c087bf9ba1a608c8f58dbc8233741229d01d910bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
441c2459d7e48d305790245884a576f6

SHA1
f3f160bcd51c563868e79c3f957723c256547fe5

SHA256
db54c7de5de6aeadf73f205afdae392f3501b7a48153a79fa7c430b83a947ed0

SHA512
3bee5b4fdf573511403bd91aa07d7338ebfc96ff2a4d6f149d3ef682117e30e5f16c9a8a139eafd6fb9854ecd5e45a3b51c1d577c242dcb80f942a3a02c2e8fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
103bc8fe245aac5d45a00ae50227dc8e

SHA1
8527a6fba1729ce9ccf4ffaff149e8ac88c597b3

SHA256
c09498214ee5664e3b70b2079faa7361f863301c2d715ed950ef45a1f421b476

SHA512
d6f7fb374a310a3e99c14c83281ee02849e3dc9b2baebdd392250809aef8896ba59434ffa481ea749592c96f3bc9c716860548751c6ca2c3647cce93bda8f16f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b52c5f339ae0368a43b4dc4e21147791

SHA1
843b156833002c482026fbb6ac2d3aa7c0da9ecb

SHA256
45502175006dd3765e1b0df2cacfa7619e36c0928b570992b0d493bd041b168b

SHA512
d0db3d4c03d2e0421a4ddab52eda74de8d654e5af9797bc6e9caa34882cbdc89401abfe57ec418820bfd9e1418c5575dec9b217bb97e0729aa7822e647090f7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
eb174012492127c243ebf10fbbe7d9ad

SHA1
cd972d96cd81e9552ca0c072168da3a4917ddac2

SHA256
3a41efe0b5ff8a5bab1feeb3caabe932e30910e44beb16761c9a8009baefa038

SHA512
01dd211a2a413a3493f5765850088fc6d6289652bb86298f6850d0829571ac427440949344c7b0563bdfa5dd401ea69a876d6c8d0ff0dea3c84445ad18e302ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5dfe37b8d1ede590ad682a710707eaf3

SHA1
5de4640eb84e1c2d4cca615713475290c1466f59

SHA256
aacced55cd66da3d515753846c1bd2fbbac4167e8dadf6ccd075ed62703806a2

SHA512
5a58a3c555f23e9a8eb5b80127c7d9764b1de17c46991a052d3e646f3c0f5f9f1fbd9fd8731f08c435c7d12e311ad73d7ff8e802117045f5b475230c5795af4c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
78e33d155b04e168ed6aaa1aa7b2aae2

SHA1
386bda024762b6d467bd13e7df40d4ee4adcddcc

SHA256
e4b0a68e52a94929134a424c1a9136c6db569cb0b3e24c560dad8066b490f7b8

SHA512
e20e5e33fa6d8b393ffd00f073b8c8b7f911ea12dc686932bf33acc585594949b2e4e41c8cb2b8016dce2852056f2e91bd397fd4027b4b3908234286f1274bd8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\783518e7-4ba0-4892-be45-9cf08c10cd80.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1d7292dc2764dc80060bb27e34d90d19

SHA1
4f54b9692e0293b5751223b6d98474d1f5868d6f

SHA256
ed673f19fabda7b3c3372904a056e7ff15f5f5fa47893572600bb811499bbd5a

SHA512
f9cf325916ae28a4d421b3cb2f15cc4915e522ec7e5a7e5319daf0a1d49dac96f769dec8cbc7590f896b8cca1f30b71fdc30e3f861ea2e69c4cbebc3b342d295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f18c40b76742dd208dca9153a74d50f3

SHA1
d4922319cfc633b538e08aa8ea7c949ebdf445f9

SHA256
c432fbb70d9137a071e199311389852a05bd66a439a30e6a06f2eb51e84627da

SHA512
015584b7218613872d89c5c4e4d8f54203fb3a3a1e650d94f6887f6ccced774b3ee571b5ab8f31c28077af78123bc4853c1b62d5acf7cd56ce5c5c304f83191b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8a1b43f27b1b2a7f693d048f7319425c

SHA1
1f6ee41051be916052f2cc02acc6a3096c3e2970

SHA256
e6a584ea38c59537a8d6351334b14309dc347519ce04fb0dfd529c509908b2ae

SHA512
e2d7b3b2486a4bfa43f7e73967d180381aa784a8b3552556da30313aadcd8860f88109b7d341343d111f40ceb8cc11ce2d0edfbb1f3689a62fba454a939fd943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
775810136802c0ad191ab58d35e15ef8

SHA1
6087d2c57f449545b0b75b426c5b08e883b42f18

SHA256
01bb9460c9057aa63a850f233b1c6f4c83340d2917875bb86b02fdae38450850

SHA512
a53e0e0afb2c863b447744229b20884c34ccae7538123168842178f55edecb0c1900314e6cc4844a41806488e18346faf9ba434816e97362d06cd6b09b04efe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1f8f6e874a83e295c14d0ade933f464d

SHA1
70e5d0ea46a996828e772c6e5e656a00f3fa69fd

SHA256
92b9b9b793f752426b1db3903e38029bad7805d8dc668e2fad233ba7eeb1969c

SHA512
2cdbac771b144f44cb3b2877103e8ce34be9d140fd64ad47daa984c99017b8ea95abccc5e87ed566923c78a74f1a158cc975c5d0184d7007c4f610757e413651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d9ef53ce716d84105477e340fdb63465

SHA1
95a6999b138df47d649104c55d395c6565e42863

SHA256
297e9dd7e440c3610170364e79a145ccc587762c245bc984075540a860750976

SHA512
bef1b9917b1082ad140cb7ba00e47e79e06ba38823640a200f5aadf6618ed1afc3c87bdf1d2cff6672726f3d96169441e102e4c9f88cb690b175051123a265f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f1d0cc6172f134bf0e5c0bff06f4d6a1

SHA1
1ac22dcdb4c038d47be14ced250d189cddd5182a

SHA256
4fe84391f4e6d3852f260cdda462810bcc63ee83ecf4c664c7ccb22185776bfa

SHA512
fd8317984ccd2a914d68c37d26806dfa76a2aa94c502a0e634f2ed63638a9a662481958af47cf3f78352bffac4b03c1f433e81cba342758c7118d9f8cc00e116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57dd7f.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
3e30571898d35e2bd1bf01a0ba256081

SHA1
c31d0c66a203dbb889aeaf3aaf97f34483ebab38

SHA256
8b70ec3a637b5ac64f1484dc2610595c3f50b0ededebcbe636fe7bebcb3f9064

SHA512
3f69f3f7b9ff88e86bccb4169d05a68a179ecaae44fff40841c7074642b418558a7e35a3f65773d51d63280998221acc39692c39a92a3b746011538c8ff57965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
c0571c02c011de604aeeccdb50a675a8

SHA1
adb9893d6490a8b1811de85ffc66e082f6ec3b75

SHA256
cc5579a846fa93632b9d7d3168441066d6cca7a3adb53681dff94f793e0fa407

SHA512
b3ce44816d69d95b63d8b138142a84f147cbda8e420041b442a2b0e4c513f449dfdea6cf278792a932dc3670c637f53a07f9ccba18f0f17d7c65edd946fbbb36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
6191aae8e5022ee2294f1312f948f53a

SHA1
902802c4f5cb310a5087428656d8743e20a4ea82

SHA256
0507ea21803f375cbea0a6c65f2b61b7fb793919ad67bddd4c5999bf48f09955

SHA512
ed95a89972f5114236d289b2b02c1aed3dadf97eb7b0460004796fd0702409c1a2ae047985ca468acb99f8a7c175eacdb844e9920d9393c43b656ec0dba4177e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
ee7ec34c7584e306b2a29da88cafeb19

SHA1
47ba4ebf7caef196cbf736260e7bcc5f58c4506c

SHA256
99729f822b65e8c981bc59756d511472f39d3e496f2be8988f2b3c2c81b642bf

SHA512
1a0f68aadd4610cbb55cc3866531a1407fcd72ee85f31406569556347852c11426ca1d877a5fd71bd0c65f97658a4f6064dca4dce37a52a81ddb16aea9bfba8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
cf086bc3cea1afaea9d6aafa4187fd1a

SHA1
907aa2d7d41e6c9066a7ba8901d73a40b3a0fbab

SHA256
8b0ba6c2459539656e1007f63909bec633cdd2778bbe4cb49e98ad918e43250b

SHA512
e63df1c63677b143f11d51e823297adeb4328bdbd34de34099a0743b385476b22f1877f3ea42205c92498ddf00906c6e4edbaa9618f6bf7ba2afba246dd97a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir848_384703575\3167628c-00b4-402b-b785-8945be5ed277.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir848_384703575\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\7bed6d84b3e2edcd.bin

Filesize
12KB

MD5
2eef52f59024a705cfef6005605a1dbc

SHA1
8045182ecf2fa59b8cc39c8a279cd3e323d9dedf

SHA256
3d68476e2567af07484a2703f7889c689d1fc197d4769076ed6ec653b757336b

SHA512
d4dec4567abf174f5d1cc102b56c1912818041a634c7b331030103827c6a1240fa2848aa5c33bbabb9eb943e71c3aaac33edc931d5df37a7f93617d7c5866de5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
53b9eb9fda5fc2dca4faae66ec4b4d93

SHA1
fc8e66c95a1b8d2603053d6945a4c116322ede2d

SHA256
b40f94410bf33b91775b72387b23d85546fc57a010a6b71cf32413a2d7cda514

SHA512
5caa0c3f7841b969a65197fed8a2f9e81e23f1a1236908c8b91ba12a344057b2c965ff8fb5163b775a2f6836edb3412aae21729334a35ceceee062a8fd613fce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cd5444437190842f8daa28c4e70ff05f

SHA1
4b089311d2af427565f934b019aa60c4fb70e64d

SHA256
5765b85caaef95d009f3dbb2ad1cac3833823a82f32ff4e9fa26e25a98c153c6

SHA512
c783884576adc7f87ed232b64f2f61df8ae36f16b3bef254f79e41422359529dcf204feec77ee9f2bc47af8582073215d5cc434a2064c6717377705010b0ef6a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
84d23e0bb19d1a54706d7f955a663396

SHA1
fd94fbc09c2ab79f20065e0a34dbe634fa9ce63c

SHA256
56cc75dd80b8275169fe5269fbbc36c1f228861d875cb14a9779248459000de0

SHA512
d30231004dcaa4c72a017eaf44b1b8d5311f060d060f9e7457c274590cf6672a1d999363b99d520516b6deaa833dcd87e5ef1a696314201c6c0432397e73d7df

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d893ac0d920fa1b3fcebdb04d905c2fa

SHA1
86bef1a7fab472c58466e6eccb5a79862379e73d

SHA256
0980298190d22a92e4f9afd6b71cc19ffda203dc2fd3a8997c94c2bce3ba1442

SHA512
a7283f1759f912b53a84d735b6cc76375ff4b893a158d28fdb482f85cf839946878641f3d1c6ae09a019f97d613f82b5b39c901e4235a2b412917b5decd66587

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7023c433036b1aa089eed47f86ba4001

SHA1
011233044e05398cbd6200fb3842c2215e1b74eb

SHA256
bd9a7d0741584bad02a8b101c96855338045cf44d29355ef2247e07d2545f60a

SHA512
9a3b09ef2eb2682fd5ce07cb2343acf482c69c81f01aee11956721fd121137fc0eaf0d9eced02e657c240a2d1f6c7e2313ca978876c96792dd59cb8b5a8fba97

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
59dfefca8e90ca3e5adb3ad5c148cc01

SHA1
f8a8b0a811295a64821b558c03ccd4d6957d65d9

SHA256
294ac2a50aed6aa3e94516e46c9d4ce9757a05d1830118d01494dbb6afaa769a

SHA512
d4f8a4fb76610bad127708c1d4fd8b1a9b76534ef44396bea447368a05056c099b0bfb5962e989d12ff8a5a8b0fca04a59e959e823db9a79fd7ee1f45ad29d73

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a15b6ccfb884cca4694c427d3cde855c

SHA1
4d2476b0817557577a0927398cc0c37c5d39abfa

SHA256
3c150b19596211fb1e90b971da2a4e7facc92cf6140d56dfb27be0abd2dded5b

SHA512
aa7f275dcecbcdbadf11350dd808259624a63084954c7e8a001fb083a909d50f70d10565b75c96ef09fc1b17cbb680df49dd2a6417547a3fb4e435236da1af8a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
965b0107c5ff9034abb74b93bf8f97bf

SHA1
d68cc27b333ae746ec0447146175af9caba31662

SHA256
9658c68891427b31d8721bb9ac203b3399db8628c793c24e4d9404a556ddae01

SHA512
3564ebc9d6ce7d5443bd70c5af20755fe4789acb5b5f640ec12767841a7c10e51742e73121618280e80b399fcbfdc7de74fe3d4aa2a0a25ccd98024f908d68cc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fe6fceaf2d6ecb41fa91667d740d0d39

SHA1
f4916c40067b1debf94856d5abbbe98a47776094

SHA256
4343527c54d437ccb45b563b4e4a610a0716cb160a87ecbdd46095fe7b752e9b

SHA512
1527dab5b2d7991ab9c0e2dfe7a1f11c7400fd62b277f207b10f54d7e2e7176af0b3656011430d21504bbf577c56811032528318463e199724895c772f3d4069

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fd18513625defd32e7a28c6f390e179a

SHA1
d6d549b764cd4d8595dd4c43b871ea1160b5a8e6

SHA256
2bdb33838a0eb01b1abd80afe90d53569ca2f784504b4ea936c95a1a3e8791f6

SHA512
0ab8f792a1e7f88eec885d7b5102fca810974687c08a3867b52d073e17d30849f6fa806bbb657d88bc6a34df20c55177ae41175f5de6cb943757a02e13c11c1f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
21e05ee6c5f7edaaa7f386d2831bba4d

SHA1
c5b87b702c65dc2f2360ae138798ba98ddb3b418

SHA256
37ef05b1ea150762d17aa08fd1bdbd4413c97d34c9e9a783de2fdef3e2101a6b

SHA512
333b2123c142b5e9e28a31246430fcb909e3ebcd5d2a542e0a064289d9012552526d72a5eac0487e563ef968516759023691232e9c4f2772247c102d25738a32

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c5371f9eaadc7ab386e091f88748bade

SHA1
8914a834d411fe82dfc24fd84e505484fdc4022e

SHA256
a0f5e73fc392e5ee652a997d874d1d173c1ff63d59422120373587b964797fce

SHA512
3f4b7d72fa119763e20ed00c2081f8b950a5f26b84dba969c31226ba1638adeccc7954aeedea598dd85854a471d9a3a1f8b339d9c8447aba26baf480e1b1965d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4a597c7de15f1e774d3c520dca704260

SHA1
2662182ca3bad1e4ca5e75bd97500589753a0653

SHA256
68791a1ec0671502b39b83699a355153153527bed0cea89c346c6688a3e4410a

SHA512
e2c86601fd3b6da56f322f724262e01492cf4038efa049b08087db17ef1c039d152a7f8f55525786329e8936a87af4bed4e97639f48aa45a675fdd5c5ad6fea5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e24eebd6544cca06357c7c47137eda32

SHA1
12cfc8660a20f6ba2e5d67656c08691498019752

SHA256
77a89bb449e70cf3e871ffa24006d4b6f15d99158f0363f6ebd3846c5332c74f

SHA512
4dc41e65491b8ba42c13cbe14107330ad5480cb09c1bb22fe1716b33d4a16084374ce21027689b61aec189c4e81464e6dd70fcb0558260678ecd8fd4e7cfbb7d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
752d0755f344391cc8446fa0a7e3d6d3

SHA1
9cbebaa83d0903129ef79ed76fb2840d5e93d0c5

SHA256
afc45e0dc386bd54e28ced3250256a77aa50966d44a1806f7f7b24ae5a579cb8

SHA512
25bdd05b044495af5453cd90f14f7d03a5fcecf1c6e132cf44810a071b3cc30fa44773e3b7ce6265dd63d6915da01c7b52d857ea00357e55abf46cc8404ac3db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fee44d6d6aad6ae63b0520bac3335828

SHA1
dc36314bdba3bdd4abc3613e4675d8b94a621b2f

SHA256
29ca499c0291a63da5fc26c8eabd80afe898fe260e13135cd9febfcdb0526ab3

SHA512
e492659a12e6f50bb55b8f6d023620f648adb68d84a3f063ab470a807392c9b1362f009f219a1809f2086935e5357604997c0bac649ea0b658698d631cd8b1c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ce07f37a72cbbee7df3b945daea72836

SHA1
9ecf4a7f8aa6ac92f311d0ca0929bfc15556b5d5

SHA256
e828f2e6bb71c68ffdc29515b37277d711d5d95ed392de8678570650473d854c

SHA512
20082930a03c0b979040b98bf6a42c622f77b6b4186336c1c84077f7fd144087e847a200d4d166b792ce5962f0c7c3e80f13b62dafe39f09070d8f76fb11d30f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c3322c8b1fdd9fef5e60fe170c4687ec

SHA1
cd08b2e20e029955cd10aba47126e196651cf8ea

SHA256
db7089dc23568cc567ce7616266cf2adc7914a52cf8a7437718e9328cc67297f

SHA512
21d05deaa9d39499f94a05970eb3501d6d90d92a0f4f38a0de395781cd94004c100c167ac9cd1b270f47e1b73d86bdd817d1e77574ac8d9954f30dcca1be6bd9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
78cef498799f4308727db26c34c61fbf

SHA1
7a4fdc3f116e0855fb7c6626bd1c95f1745d6016

SHA256
61b93fb120d9242586a162cb0300398fae812cae44a0edb784ef1b8aba3347d3

SHA512
7697cfa5bf2604a78a373554c1999f176ab90202775f3c62ba98c874a8b9ff935f8eacbfecdbfba97f6e0f0f3b03991666302e554193e4c34cda6a8288a3f5ff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9e685fef8f0d0a1d609cee7f679d8ff5

SHA1
bac3562fb5a5995737978c9e08d71fa0752e0559

SHA256
f7cbb5a664c9fc80d461d4a1a04331798aac8d43cf73ebadac05dd9cfd5a29dc

SHA512
0a1e83b7c865ae4f19777c4ce2fb13e35fd70d5e65a407f3c290c5512834e763a955ac435c950abcc93615b17565998a3248d55ff8207c239b11133bf1552d1d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fca4a4480efdfe9a017f694b88cd5205

SHA1
024a9f24441c71cbb01bd1604f64af8ee9cdb3d5

SHA256
b8379fcc13d4d0a472c937250ad7883e9cae9e59811da9a7a370c608fc22e377

SHA512
d440f8d62a225272122741bea189e30da29e5d1c341d83f5ea3c4da3c6af5d41c320b0336399a533de5bc3c166d05315de97bba4fbcdb5e4d23aa3ac1ecc4571

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
11a0a85f7db25595ebb0f674885d4882

SHA1
3c2ce7a0d4b4e49e96ffaeab8d54fc63159946b2

SHA256
53be199a69ef450841b6dbd4d6def9f2fddefe3925d06240ad8002f8ee5df152

SHA512
64222948daf453ef92324a150eb74878f815e220fe5863837219a915cb28fe79cf5fb6e1fbbfa7923909eb1a9bf577a6684062cb7afa3041892c34948701b90f

Download Submit
memory/1220-88-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1220-90-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1220-350-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1380-9-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1380-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1380-38-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1380-6-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1972-403-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1972-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2308-108-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2308-123-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2308-116-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2808-154-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2808-418-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3624-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-93-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3624-72-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3624-78-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3824-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3824-125-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3824-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3824-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4492-97-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4492-104-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4492-370-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4492-98-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4524-386-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4524-126-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4756-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-417-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4800-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4800-140-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4800-26-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4800-34-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5108-173-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5108-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5108-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5108-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5124-639-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5124-387-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5240-430-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5240-174-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5436-371-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5436-575-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5492-431-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5492-774-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5496-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5496-453-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5548-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5548-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5548-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5568-820-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5568-475-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5648-462-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5648-803-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5760-536-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5760-351-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5828-450-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5828-787-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6008-419-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6008-767-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6076-609-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/6076-374-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download