1721b1122bb2315eb2cc1f62d6c9a9c54c141a4a6884351cf569ad2ee378221f

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
Size

5.5MB
MD5

9c6d4c5af56f92f26faf18468d909525
SHA1

0b0efeba5dfacbbc74fa71fb8d0b6cba085beb17
SHA256

1721b1122bb2315eb2cc1f62d6c9a9c54c141a4a6884351cf569ad2ee378221f
SHA512

7dca0db3fef1f3c1f9070ce83f8328c4b983f94d65954139fc427171425b524f5c36a862914b783af0d9b746beccd360c1e94cdbd02d341e8c1369e6d313cb04
SSDEEP

49152:bEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfV:HAI5pAdVJn9tbnR1VgBVmL69CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
208	alg.exe
3904	DiagnosticsHub.StandardCollector.Service.exe
3404	fxssvc.exe
5108	elevation_service.exe
4256	elevation_service.exe
32	maintenanceservice.exe
5140	msdtc.exe
5300	OSE.EXE
5416	PerceptionSimulationService.exe
5544	perfhost.exe
5684	locator.exe
5768	SensorDataService.exe
5860	snmptrap.exe
5952	spectrum.exe
6068	ssh-agent.exe
4716	TieringEngineService.exe
5252	AgentService.exe
5460	vds.exe
5744	vssvc.exe
5816	wbengine.exe
5344	WmiApSrv.exe
5804	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a851028fb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9fcf8bf53b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a7f8fc553b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000479bd7bf53b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f42e0c053b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f99e5ec153b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cee00ac453b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b95d85c353b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e43fc4c253b5da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
948	chrome.exe
948	chrome.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
1824	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
2432	chrome.exe
2432	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3580	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
Token: SeAuditPrivilege	3404	fxssvc.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5252	AgentService.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeBackupPrivilege	5744	vssvc.exe
Token: SeRestorePrivilege	5744	vssvc.exe
Token: SeAuditPrivilege	5744	vssvc.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeBackupPrivilege	5816	wbengine.exe
Token: SeRestorePrivilege	5816	wbengine.exe
Token: SeSecurityPrivilege	5816	wbengine.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: SeShutdownPrivilege	948	chrome.exe
Token: SeCreatePagefilePrivilege	948	chrome.exe
Token: 33	5804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5804	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1824	3580	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe	92
PID 3580 wrote to memory of 1824	3580	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe	92
PID 3580 wrote to memory of 948	3580	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe	93
PID 3580 wrote to memory of 948	3580	2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe	93
PID 948 wrote to memory of 4628	948	chrome.exe	94
PID 948 wrote to memory of 4628	948	chrome.exe	94
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 232	948	chrome.exe	100
PID 948 wrote to memory of 1004	948	chrome.exe	101
PID 948 wrote to memory of 1004	948	chrome.exe	101
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103
PID 948 wrote to memory of 3652	948	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-03_9c6d4c5af56f92f26faf18468d909525_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff984f09758,0x7ff984f09768,0x7ff984f09778
    3⤵
    PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:2
    3⤵
    PID:232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:1004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:1
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2988 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:2452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:5824
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5368
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7f8057688,0x7ff7f8057698,0x7ff7f80576a8
      4⤵
      PID:5296
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:3572
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7f8057688,0x7ff7f8057698,0x7ff7f80576a8
        5⤵
        
        PID:228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:6084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:2432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:5808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:8
    3⤵
    PID:6312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4868 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:1
    3⤵
    PID:6596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3632 --field-trial-handle=1720,i,623511262890187828,250019869822591583,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:32

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5300

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5952

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:7064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
b492ad8b7606b93011518a33272c3cc1

SHA1
3f57033cca1d72ff701670398357482d5b738a4b

SHA256
87311893862cc9c1edf56e76347847d66398d74ac2526933e4f6b3a8c33cf1f3

SHA512
cb49328bed34f8921aff221e1f27fe4ce10df9012470a6bc92de6185cce22b501f9e6f4ea3ab1c268acbeb2662cc2e092467b33629c17986403da562c5fd65f2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
91b94805cf963ce5203ea6529443e66c

SHA1
bfe88c19a5161ff7091220994b939803d36e277f

SHA256
7f3974d2c346acd1aa0e3e260893304dce46baf03387915591121eb21ecaabb5

SHA512
2db969b730b8c39ba8b2822d828678cd856fb7ed4139075fb2c938a863e8f115e4f87509f13e2a30b5a44621b4bc1434f945964dda3a737bc99e3aa8946c1ff1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f1020de7d3f35ac9957e2b767a835372

SHA1
6193e325f52dfa10a8a4fc5f316889611b5b5108

SHA256
3407e996450adcea322ff90e6564cc04bd2a1ecf5fb702584e58c2bf90d4449a

SHA512
a7358845e1e5351c4c261125ab65099f54bf25029c45474c399bd75cfa26ba0ce9137c27b07a77b44eacb398f246d6bfbf9eab705b8716edf43382d5fb51b8a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e0643101d79e32169f96f03515dc2c5d

SHA1
91c3413c176c2c9aca8d0e7ee1c0491b92784d17

SHA256
ad1721ed3e051af442846d6c1f3cbb8fb1b182f36f33cf9fa530168a991759bf

SHA512
0320ea2729313a32874fb05d0f3cddacf03d6765ac2e5268abbd79277e973fc0b113e300b14991f858a1d82a135c1b119deb331c28f12fedad17c26ff1831fad

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3e9d2f1a186f95831d911f63d4c024a7

SHA1
c3f8274949b58d6c92e54dc139c41700a4442e70

SHA256
e54a3e9e912e395b3e790a7e85bf813d9ba7e044f3e2bcdc5692aad38249c7a7

SHA512
b65bc7ea9de5e2a32278822570ed387131d45895efd4e67a1b7cb427f1d964fb22cf2124cffef8e33f5cf9426efbfc0a6f9e141169b500f4ece32865f0bd2b76

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
8e65da6dbf230a11ac54c5396cdb38e6

SHA1
eb2d298881e8f7f5ebb43483be4569702ec2b04c

SHA256
61f953873ea585e79e96c7a19a1a8874f6fbfa8d6e4c4865d3fa5de1a4b4b9f9

SHA512
cb5f5a0b0d2f7106d24518b884fae6c49c7dab4afb37b3f5fb5023e5961946a53f3744cf632329c394ba04012f5aee52ccb1b43548b23d4fa59c8b44aa09a276

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
b92659517fb2058304ed29d5a3fd3a8e

SHA1
c9929cc388fc824e3bb0bd22b43efc7488391b35

SHA256
51468398b292cc3e164e0ce7cf3102f0a64f12be8e9e62bbcbc9400e401bce54

SHA512
7811dd7da0299a950e27b3e1b77d635ed6d352178a154db4975ae6bdcd8fcf320600b568f69c8f7ece31c718f85d3fd2c0f718ee99db1c90951a1b3e85c789a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
35b87b2654e98c86dfa9750e74d0792b

SHA1
be644c3aff2e9193a0a10fd9c712d4a788451ae8

SHA256
73c85043a904ad545b29c00defcf21d573312903d4a1b8d8a3052a2dbb96e91c

SHA512
1317e71cb3e2c7480c3daa1073e4d356dd824b15f099b25ae8574afa35e648e6ee31e9c0f0ff1c3c588ef0c09b20000190ccad41fa023746c2dae9c2c1b7dfe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
db77fb4cad916771b1aa98fbd850710b

SHA1
3c3d45c8f376f060359243ad3d547b17ab3c66f7

SHA256
1085df7fef0a96674af3fd4658423f0fac4cd26dadab29b654cd909ff5487600

SHA512
a3dcd726d895d6cc5e60193907ae413971f370b061e5eb279f5c79fa7520ba31919c02606cefdb25e0d8e04f74a578ecb3bd69ce77b205922e124488fe69d34d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3d0f7677a1869bde0d7fd57f3bab459a

SHA1
622c1a5e4562133515ac4a4e9e63fb4f4f76c6aa

SHA256
17f68f9e88ee0e4c0591176871d9edfcc87bb1f08686aeb7e7767b8547a065e3

SHA512
96724f25e29a3718d6a7dae6ddc78f23e25ef1308ba9d4dbadbe3f64142068e61d148a1721ffc9e0898e3d0357ac44c75826694fc8453ec78d735c213eb2c7da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4b9cc742d2b3308d4b713664e12512f4

SHA1
be7bbf8e2876d228333ad585a5c74eeb0b424d2e

SHA256
f95caba3a0982c4da5e604fc0521bcf4c7a014187b9b6a9ef9dcc21c3b8ee0f2

SHA512
4bd0994d48240e06d02b780d33713d248079d37bc821b31cb5400e47992d883e8351d0e10654b3d44801b400979d1fb4da8825d9c7d318249c58d9f48df308cf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
06594c47aca1994a8090b3eb959633be

SHA1
3b995005d8b1f7a815f8be97bf744d45763e1214

SHA256
18559b2064ab976790e46481a7a6cab27cb28390b5511f11d3e73e4445341a75

SHA512
4b805774976e80840e4a7630729e7d57224071523a31c1447d9d39bc2d32893c25e787d8a3e05b9865e0c04232fa4d1feb2c5507cb85b922ffcd1f922212d841

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8ede9be6b2dc2faa0b8e7992ed1c8f03

SHA1
0f2c26080a2cd185a4d75dd8ebf675455ea9d044

SHA256
2c6806c066b35920ccac9e4b155da8c313dba175b785f661af4ddf1f793b3d39

SHA512
8c7a8338eec4331d0a7d069d7a970f6d2b9face3c46352d960d97ab57faa4de8751b5d2a0dd0546afddbfd397ddb5cc14dc3a7c7bd153d4dfd5cb6c3a59ba59f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\81613e40-06be-4fe6-93d2-604993447467.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9b07a4ca0bdeb41a51e6288561aec5e1

SHA1
43957a835acaa0ada1344801a13ba398a7e3d707

SHA256
f85c78089696bc960d0558ec9adafc6235aaaee8c6b61c255209a098ac111571

SHA512
bfde8e7d9679fc0100a8a5b020742e7275e9a6c6016c62f1c04c178b6a566e9c31e34ceccb39c7328d5cc319e8d5d1c8f865058a468b09c6ee6257e39ffeca23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1fb2a197af8bc8c9a4a71f06c401f4cc

SHA1
2a29f91afa9369bf4100c48669dcbe76f1630e4d

SHA256
c7952463b323050058347016e0640526706e7cb6b6e5f883ef79b98720c43bb7

SHA512
37a03a547c6915bfdf4cafc7ccef9c518b1b089ead523170532a096d99c99780d04c2d839b9cadabc54fe3bb481309039fa24fab2a74b768c48d13fe0ff0ae1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
8915418cd889b94ff9d83429c5eb0758

SHA1
a7dae2d2157ae9ca7c531e34e1ef919c147b1dfe

SHA256
5a955d28d5024b82b7f69e82ab157333e3a9fcd9731bcafaa84e6aacdf85d216

SHA512
526c17cdffd194fb1bab46c9d191c916f25e8ef4cc04dc88e468c95fea37618b9f7c4ec589edf53e60f0e1418fa984237d96e35ced0809d5e110e81cecf966fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cc0246de7770f6b9a3f2c7b0f99a9a79

SHA1
d63abc1d26110e335f954acb91a957e047dc48dd

SHA256
db0c33d281e3e4b7ec6a2f5dd49b67e2d3fd0eafcff8d76de20c995128789a28

SHA512
ad10b27ae688b862607775eefaf6f030c903c83081428290e6cea50e8a757633cb1666c614891d23e9517870373d6cd97fc2c82b9e551cbc8e4e63840f56377a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bc4f981386fc5610ce9bc8beae0b4999

SHA1
60d4fee29858a57c9bdd1b045056a615e02c43a6

SHA256
dcfeb153a750e2de4a3301901db5c9ff542e183146de71952c58b5593ff67415

SHA512
58952bad0b8bca39aa6f386de470c74641f89723987564e808e6c44d937aae0899ba57bcdf4f79daac5abd700bcedcaa38e33d41d97128dec99c22ac63d14404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
440db37fade542b81d08e76de403ba1a

SHA1
60966b4e41e5105c2a5d1804f9f5de021db3ef81

SHA256
26bc620484796b9fa798e5fb0ade4aedb4cb46ba76484ba4d86976fed03b720b

SHA512
a1dd50fda68dcc4c334738c0730154ee28ed973216687a61cd1c7f6d4d9c16bcc699d0c4f8c96dad7755f860083acdace7a625a616c8499d0134740277494a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f63519cf6c0c6a5d6c4894793f3d365c

SHA1
f7df39dafc2b4cd32ce40d65d267d3706de32e67

SHA256
fd2e74536f62bee06c19e413687fb67019601849f1901a1c8a5b5c402d9ea1a6

SHA512
54c1dcf0d51836b01e8c0d49b8d12873a91d9db6b4d3982e1db08ae574cf5ec3053eaaf905d880278e46f53157a49814b7002ddacd749ae99f39b3d06f41b2bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
3KB

MD5
343851f55f6e6a3d230bd8f1b9468018

SHA1
263347536fab2912e2a944078b9466a615ea7a42

SHA256
b1ce0d3518bd06f5fafd43d8b5d751041054e80228bcc7925cbf1c3c028b19e4

SHA512
e9f5d6f09270794ea80f7b450bdf96fec9af04f1345134504664179c4a89ed714be7083357ede07c658795e96354d0eea7b766f3f1c9e7f23b70a0aed045399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57fdf7.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
26ab4e7a3d92a00732b302572dc77aed

SHA1
080d38f2770ac34a1bac2f57b7770c5757421aef

SHA256
9899143c52ce4c669fd7eecc934e9ad4f1535eedf770ba12e7dda79899bdd519

SHA512
219368c22a8e89fcba858803aacbbabe3b36a1359c70389aef436fca463ab4e3a7a41fb64305bf94f0f7f64ee6a2ae9bbb55d9bca0f616282f5cdaa5872fc6f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
ca289e7f35e6e0ae059ed2ce1e16831e

SHA1
70585971210138c29b498c1cdccbdd4af1ab083b

SHA256
bec88330d8798846ff39a102a36a16b131c273c5049125215fdc792adf91065a

SHA512
3dba2a510275564b912d96b108fb972e4c8a320183d4654ac86af4946f1d79c01af952f70d0961e7854c150aa1dc33c4e18aa56c462e60bee56f034278c749a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
3dd1de6b7b5140643f21b13975ba0a8a

SHA1
1803fff705d0ee24a8a1d21b3458d24ecc075d50

SHA256
4c54187f4fd05d14c7af620db2a6e79562c24869bb392c64ae2299cca1355a13

SHA512
4a5a0dfe7ba198b099fef491e8aa79b0e03d72497c4f35c8657741fc300044a13b0b57225ed52deaefef251cf58aa4adb77f80869ddd61beb4a6ff12ed24be41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
a1348e4396532f114eec2de228401690

SHA1
75c71812620e0aaea994b44ed60e894056791bef

SHA256
01dfc6d754dda30caaf2b29c7469ac66e556929eab65e0ec0d7f6aeb30d48a2e

SHA512
54964cb95e440310dfc8c8f8deb3d69ee77879f27eeaab047decf4631bf13b4d86428f4043c24fc7f88c6404e3cdab72f988df173388ca65f5d961f73ae0b151

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
af40646795df9d1d5a76a51d6ab92638

SHA1
ac9c66636ae5194f5da4ff2f0957505f7ee2a4d3

SHA256
24b3794c23592ff1371fb6fab02b93351ff0ace37c617260d9cd92492d45c358

SHA512
f3edc9649f1f74e9661ace14233f0c775cc798fd8b3ac697fb8e8dd9e43e93c8d679af990fd9e0d609279e6ae9501928dce8c34d0f588cc19c8a42d3222fef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir948_600693224\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir948_600693224\f1f1084e-8a60-4728-a559-fac73f9e65bd.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\a851028fb3e2edcd.bin

Filesize
12KB

MD5
16ac12b23eea327b108dfb191b9601bc

SHA1
927502994bab1e33b46da5015806457f96b7a7c3

SHA256
f39f432c1504fff70a052bb910f97f73cfc35d078fb4efe77e04823fa9cc3757

SHA512
41662b9f70cb655f89f5c25ed88c99605848f4d7b47072886f1da054c2c39873c8ba98bd6f3eecad5bbae4b98edbb5d32ff300fc1f7aee3f0633396aee36ea4a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
61879507210b261ad5e08bbde3254050

SHA1
4e021a3d3eb191216cff67e67a8370d8321ed756

SHA256
520228c23fd533a391b3428640be5745d849fc636de5bc3191f79e67e4796ad3

SHA512
46290b1759d23b8d6faa9c5b3bcf453ba1309ce7419e3d9914bcb30d3913e3bdd58483f92a6fcadbc7950f12b334d59e5bea7a6f353a372151032b18d5d1db6d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8b46d5f323e580b2fbcefd783f9ee98f

SHA1
6083edd90a00ddc2c4a19b2728bc4dbca9976b2f

SHA256
1323f16030807cb05a4c2baaa6028c33a064461968357b904083dc0b64594edd

SHA512
9cc68c67d4df13187a80752b55bcbd0ba46ceb7058eec387107ed7b95131ae04f8b93fe91bf98659a7ffad97ce23909b6316d7e849ce3f7de1efeb837b3b5dd1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c3fa0e5f26f92be9c132fdca2a1759ba

SHA1
87f208d4921f1cc47e943ca7ab8930e04d8e70e4

SHA256
e9dfdd602bf248014c507bdf883348ed4c0a9899d5c84409ed63ba2e4281c119

SHA512
313523044b386703a53b10df8c5b9911ac39d148b2604cbff1257599377f1b28af9fd1c7a33b0708acb7d984a38ece5ce160f3434e37526b88ded4ccbbffb427

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c7d2e41e7d57fbd08eb44213475dfba4

SHA1
9c68a262274cd78b75477470d3f9d5a16e30029c

SHA256
de75b123ea84f09ea58948578ac2cbb6b79407a284360ca1b5f37944eec31281

SHA512
eb31eeb5adc95ffd70e6bdd53e63a050a590197244c9858a87ed9cca3c60a6294a282d98bfddf0f21d3613f2984ef0f5ad21736420530382526e234983e71efa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a5648bcba6f2b0cb257c6574b918ba59

SHA1
0a9ac8d39054eccb3669d6f1dfd5b9739b2d5edf

SHA256
25c80e85a5151f99348b5c260a456ae6602d73e913f78a3150311c084b456ec5

SHA512
638bf28a55bb2b3a8af3c25825433c3925b1bc3b9cb9515c5ce3d09498847805edb3e2ea3d5e1fd4dc71dbd497b83c55bee3b512fee15fe383f90f1da6d7ce73

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
af792a720ddc6cab8e9d38b40abb7720

SHA1
a199d3b54d54cfd210df9759f65f4b13b64c9544

SHA256
a59df74c027456401363dc01c0c0fc40a25ab6fde6f9fc37658167cb73896a0d

SHA512
67e5ec41232507a4fa3882908cf7d0a0837dabc67ab8365c9be33b950f38bdc21e763ce43cecc413604fe11eca91639e6e0396d2fcc50520cc00b805977871f4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
de71a4a8516fa7b5e55ead8c7e9a6df0

SHA1
51849d3ae9bb38aeb9d322295fb670fa830a3922

SHA256
ac4e0f000db7d360017f10cf92aa2d8823328787fc134a3a706872ed49695c0a

SHA512
739954c0411f0a8694d9dccce3c3adb214206b922342b402a34cbb860b24f50970dac61d54dc0af4d287cf7dcd856f20ef2f801db7d9731a69eecfda410e8c68

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
27e0b5252c759547c9d7136d7f97e9e2

SHA1
b968869b12dc73af604d08edac94f9105b833498

SHA256
869458ce98a19e058fe2f26117c230fd9fc83f7a1be254b1fdcfffa33a921e74

SHA512
3b5e94f546a5fe19bf10f8ebecd4182e95f0f1d997d7ae240a0e38f2bb7a485074a7d687b1c39a54b99983b5a3e63111886dc07619e4786185debe85944f9421

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8e45209c92e47d03a7e6e3d9001068b0

SHA1
874e222028761748ad6270be2096da6dbdd9b03f

SHA256
c2aaf833a531dbbdd6c0e6ecb5934fd854d934c9db7d32c770c0d8d2745db338

SHA512
99bd27e96b9680df1abf7039c34fcf94dc4653b6b0f23181ee61336d85bee613f8075a02bbbcf0c1b844599d0701ab2761d55a5bcca7fc76bc01f2e807e98c5d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
53c05554d6baf340b6e770fe474cfe71

SHA1
f93975d0d8543ec8b0ef1227c678e8ddf49421f7

SHA256
3bd3cd1a00cb931697f0c77a3b15e9fdfb9315817ad3ab233058c24b81b2fd88

SHA512
211189de1a4941027573a8d24fe54ca0bbec2ef830d864bb7df1512bab90ab0ade281939a74688909df0f01fe97d9bdf16f5288bb81c5cfb681489c3390d26de

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
a0f1670b3161c88784506b40cdba3b6c

SHA1
88129a1511288036d0d31f40f470093f1832ef78

SHA256
1b0b807fbbc6a33ee1db640cd0af03427e2c889850e7a54944b5874a340f3c71

SHA512
577e3a3ac883cd92a213520964ac01532243be233933dcb0a2a76810e52344644296a1d5a94d34cb4558a1ccc76d322d6c8ed8b62421a1d9d0b1be5bdfd07297

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7b13069834134892687c47b285c37fda

SHA1
274212d9c41776cd872fe37cc8b578c744755f84

SHA256
edaeb7761fafe915f8b9aa3e4bd022503d3f7b638655d81e5b118a1d78c2a788

SHA512
6ae11a2a9d8ae0b3b0476006bebbf47b6f5666ce4c48ed06b80ed49fd962ba823ca941eefec61b6d024d928237a8690ad55a834db04ed6f21fe5d0ac79e3b91f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b8f33cb84962bd4a22d43187eabb14c9

SHA1
94b6f25cd481fa3bd396fb2b17c4fb2df6d76298

SHA256
48b450be2b0063e9e17d1c591738b3620ef1741a86b57f539b9fc8067f76fd1b

SHA512
81a2a22bfb691aa61d79ea7b61f12c32bca30ee479c18ebe4b515831c772bf75437b082ba83d824afd7a6cc2a144cb0c58a7d09ea4b5ecf39ac94308ae6dd0f2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
86e4497de639038c0e8332689392cb98

SHA1
7343e7b2b6bdfbed725bfb8fe66c2804c34bc454

SHA256
ca4ed259e5e01b322b4ffe91ab3efa776799f524286ca088b2b452742fa4e011

SHA512
f921ef0a2dbdb4297361c5ed5d32e7ae6a22d1b4f73380f0c9803d05ab92ae92cf31fb20342a0f918a8172662044817b788144219015605d7bc672aa71d58423

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
03b26f500ac515505c56857efb2d8e72

SHA1
4aa6e942efa5c82ac097decd3698bed0e67d7f24

SHA256
0350af964da90a8ec7f4a74b3d61da227995f4ecda528e9436444b854bf8c65d

SHA512
33c30c4b04efe57527bb4e76f8efd4a3adf987d7d993d52e05eedeb9112709ea7a06a42e8d87f9cb2a9750ec170797d1cf8d03f3a5b460952b266151b62b1e6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ada7bd527a53a65148f1435df2c88dbd

SHA1
5d6271d120dd7f3a24a2142c6083fec4488b0364

SHA256
da0f10a9dbc87690c4ca398f317e830586fed3e489c6043f6fedab4a2e6e4f5f

SHA512
4daaf3468cbdafc270778623dbbe0cf8ab9cb6b967e012a04720d5e6d09dc23dc379409c47c08b8322d6082964e7a7c1f92996e33bb2d6b6fa94fd37247e0569

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e606a1c4d6e657aaba23a907a2032fd8

SHA1
7a3801877ed03411ff6ae70cfd33f00fb5fd9567

SHA256
59ff176085dd946804c610ec3e715b1130a07c6b82456ffdde222487def306b7

SHA512
60e8a41dff98e19d913308bebc2f5b1c4cf9a8b8cf19d66b6346d35e68b6b18e1c8a3e4f3f55529bdd51507e5c9967fec653d6df9cccbef0943a7412204b0098

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
085e22a3878b8fe940ebd4a100e18103

SHA1
8f8ec91cef12fafc6bab028ae61cc6f1bc25da4c

SHA256
9ee11d5eea707bfe419ea2418b63adb554dbab9c6bca4775deedff3da96cbf56

SHA512
0f4d78adecf4a4448ec0b4f1c3fa65b65493df3f534d7e114cc3ba02b1dd4b212bb4a4c2cc7a4b7902315bc07a5573f9b137c413691943deb4ecd4048e728661

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6c8e6950403e93ee8c06b4f7fc50f550

SHA1
dd55acfbde82367f94b26344f59d7440f6df9dee

SHA256
230c3e86682b79173f1727531e692e02712adf2a405ec966a63612e8b3e9fbfb

SHA512
8adfc50917a381a41a764a73ca4a014eb0035eeaed389893019c64761e4eba271f978b04db0447683828608d91b820cd8873abf61aefb50c3763911019900577

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b93d4be5e37948e5eed6cdc2cc341e42

SHA1
4d1baaed4d07132d7545100d45503c419dba4375

SHA256
0aaefdfbbb22fa93dcdbb950cdd468a82d4a332f2711938b76b11175dffadfa6

SHA512
0d903db479acd716f8c8e363a9f54ba5307ba85504e60cc090e3da126eec0bc0e970195cfea27bfde577ab2c0914a09273aa46cdd816ed620017c57eed1cfba2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
fe511de46d0cd346ff04f60d2470397e

SHA1
81ea61c09d8e514593f88f964f496482c8d924c9

SHA256
80e6c83c1597267d3876b51fe9ddf2130cdc4713ec571e4d61a7c614f7c32e89

SHA512
53df85cff6bdc72f3618a6e2d3bd271835c3fe11995b68bd8442158e22dbe630a7b2e3e1adad5b46abe5714ec9c69f187a3738d2b2e362d16b05b240886bd7c8

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4f7796abcd5016be8d6b3b340ff95de0

SHA1
f4251a454101f73b8306e394fe747975b0f32d7b

SHA256
b24ffd151b7fe1529a9a8fe572326e85c779b8a623ab00d146d9075f6bf4877d

SHA512
634a9aec609997aac2172b0bcd1e547712fa7ecd9a5179d040693459f1bdeb50f0ef8d7acbc52e9541dadfac01688b796e942dbe891b819a99ef8a663bd72f16

Download Submit
memory/32-112-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/32-126-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/32-113-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/208-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/208-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/208-177-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/208-40-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1824-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1824-20-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1824-129-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1824-10-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3404-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3404-64-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/3404-58-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/3404-92-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/3404-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3580-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3580-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3580-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3580-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3580-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3904-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3904-53-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3904-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3904-192-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4256-97-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4256-103-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4256-105-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4256-236-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4716-240-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4716-636-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/5108-90-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5108-82-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5108-76-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5108-107-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5108-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5140-251-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/5140-130-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/5252-264-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5252-260-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5300-157-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5300-281-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5344-337-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/5344-805-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/5416-306-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5416-163-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5460-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5460-650-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5544-178-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/5544-321-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/5684-336-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/5684-189-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/5744-308-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5744-787-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5768-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-570-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5768-199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5804-850-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5804-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5816-796-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5816-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5860-205-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5860-540-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5952-600-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5952-216-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6068-614-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/6068-237-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download