bb9d908703d08abbb218fdb140c3c5b6ba339a8e52ab542d937bef5351f94541

Analysis

max time kernel
119s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
Size

4.6MB
MD5

a0b4cac8bbbada6e0fa40afcaa085402
SHA1

ff76c24becff568fa3bb2cfe7547765b316be3e1
SHA256

bb9d908703d08abbb218fdb140c3c5b6ba339a8e52ab542d937bef5351f94541
SHA512

8d9452727a87d46aa80627cf140a4b97cd25536f67b531e3cf37249d826fc11f9fa018b4d297618cc8c40f050d89663ebf7c46d4ff542a76e2fc10f5cd4dc87a
SSDEEP

49152:4ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGN:y2D8siFIIm3Gob5iEB+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4580	alg.exe
456	DiagnosticsHub.StandardCollector.Service.exe
1008	fxssvc.exe
3064	elevation_service.exe
688	elevation_service.exe
2284	maintenanceservice.exe
3148	msdtc.exe
4688	OSE.EXE
1616	PerceptionSimulationService.exe
1216	perfhost.exe
5288	locator.exe
5444	SensorDataService.exe
5528	snmptrap.exe
5636	spectrum.exe
5844	ssh-agent.exe
6056	TieringEngineService.exe
5188	AgentService.exe
1568	vds.exe
5568	vssvc.exe
5180	wbengine.exe
5268	WmiApSrv.exe
5712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a4e016fb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f0389e9eab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000624cf4e9eab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a67d6eeceab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028232beaeab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000637039eaeab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621358207297482"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c9262eceab7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bf383eceab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3164	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
Token: SeTakeOwnershipPrivilege	4828	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
Token: SeAuditPrivilege	1008	fxssvc.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeRestorePrivilege	6056	TieringEngineService.exe
Token: SeManageVolumePrivilege	6056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5188	AgentService.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeBackupPrivilege	5568	vssvc.exe
Token: SeRestorePrivilege	5568	vssvc.exe
Token: SeAuditPrivilege	5568	vssvc.exe
Token: SeBackupPrivilege	5180	wbengine.exe
Token: SeRestorePrivilege	5180	wbengine.exe
Token: SeSecurityPrivilege	5180	wbengine.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: 33	5712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4828	3164	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe	90
PID 3164 wrote to memory of 4828	3164	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe	90
PID 3164 wrote to memory of 556	3164	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe	92
PID 3164 wrote to memory of 556	3164	2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe	92
PID 556 wrote to memory of 940	556	chrome.exe	93
PID 556 wrote to memory of 940	556	chrome.exe	93
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3824	556	chrome.exe	102
PID 556 wrote to memory of 3444	556	chrome.exe	103
PID 556 wrote to memory of 3444	556	chrome.exe	103
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104
PID 556 wrote to memory of 4800	556	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0b4cac8bbbada6e0fa40afcaa085402_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2d4,0x2d8,0x2b8,0x2dc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97bee9758,0x7ff97bee9768,0x7ff97bee9778
    3⤵
    PID:940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:2
    3⤵
    PID:3824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:3444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:1
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:1
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4760 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:3024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:1020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:5708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5052 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:6068
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ac917688,0x7ff7ac917698,0x7ff7ac9176a8
      4⤵
      PID:5156
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:4592
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ac917688,0x7ff7ac917698,0x7ff7ac9176a8
        5⤵
        
        PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:5500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:5832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:8
    3⤵
    PID:6044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5488 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:1
    3⤵
    PID:6576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5776 --field-trial-handle=1884,i,4754812595320727761,2328908828062405281,131072 /prefetch:2
    3⤵
    PID:6764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3148

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5268

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
24c432f9857dc71fbad40005b207e0bb

SHA1
716b73d784e0a6613e6893ea22bf5313d37828f9

SHA256
fa9b7c0e55b734d0eff6ca163a53cabb4d5ae419ed86939b789f566524a4cce1

SHA512
4f7defced6f388b0df1d21f6a1da70f9e3e8a1b4906ae520d417599982c433919a9c404cac110f20ab9f6834412d4c79cecb3b24df87dbc5fe3fb46f0041978d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7e082162e5f25710cc51f03727d1a680

SHA1
79a150b1e0a85ae335b6a27e00fb6970070cb07f

SHA256
76a8a719b3c7fde430bcf77cfaa66a18dbe5e3822919977d7058e8cac85d3379

SHA512
1ea42fc859f7306f883d5ab8aa7b1308a520a49972a71ee23c8e6379b1145ddc7f89047f8d1f5a4b3aa9b8519619d07939a1cdc891d0dc9b08352df0a7d4f732

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
dcd331c0ebf7dee5343c8c411b7fa1bb

SHA1
d97d2b6b7745f08231fc9bbcadf8f49bf86c702d

SHA256
28be9806d1500288b686feffdee2442c2e52ecd7b4cf4ccfb36de622249dd8b6

SHA512
8df2c581df51124085ab583d6925660ff5f506d5c2dc4cf84517ebda26f16ecd0eda13fcb937cc18a5d10656aa847ea31b0c65bf6ce24d197b7ea5632a654de8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b3be44d7122daa4e67b19ca197cce04

SHA1
ab2a8f4fe7a0bf7ac31265ce77716f1746abb567

SHA256
718bb0a4102d0c52ebe56ec2ac6cfd4ed7437354dc036f867df7e00e916a616b

SHA512
4e8f94685f13b43fb83a434c29a5917d69a0d390e343f69080977115370ddacf90948445cc794f60f51a90d8a2a53588e25923741416e891d8201703d60ba55f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
def5f120b14a17354e7eb5ea351123ec

SHA1
9d0c8a3ab4177f78271dca593066cac4999147f1

SHA256
01686d0187aa0d4d61e71fb1b70e252f59132f8be37c2b6ba8becce6d29c00eb

SHA512
31e3fccbe47a5f94ac4b8796cc723d56f0656e543096565d5b4dcf75da8b5fa4db43f39b3803c4a7219028d4c4761ef0f9f449e71e16b7f8062403b8b0d59a60

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
421a4198cef8b059655d2dba30556e81

SHA1
cc0f77eb83fbfc999293642cb0c186731ff77387

SHA256
91f5291451cf303f5558373f9f67d850fc37b51793c5c66162838eaf0d6a8c88

SHA512
cdeb4bbcd608ed7c96f78356a98222b9bb9fa6391df1f5700edcbea37e49cdcb083bbfce76c5a8fef55deda0a833e328b29be87cdc1a0b9bd39270ec2969d39e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f7c86fe9128d3de350484b818467ae94

SHA1
8544bc0a28cc4b459bf13e6ea8f76f8411846e50

SHA256
d0de6f9b3ec72d7d95a0bb9d22680362c480f7d1fd0993c539e61bb0c7dec15b

SHA512
98a23c91106b1901c920a44b0066fa92c95168a03e2f3c8de1f40961483c7eb656d4a713665a463754293f17824feb84da4f93057deec289aedcb8e9e9764d74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.1MB

MD5
79bd21bbb1191bb77058bd439c4d921b

SHA1
7e76f834ad745956b23f6d001dcfc8bc6349f89e

SHA256
e05012831372c80508705a4cc2d56fe29a7f70d8cc92791fe3facd076276a10f

SHA512
7ad1272ae6f068cb4fd5697a03212b9912f6554e5ee0fa42f70716ec6926e32a4152e157306e112ede14bbba76c4e923cd008af7537707b592c27be6fb31ce2f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
29c82f4a7af1e8d4521a21621e12fcd1

SHA1
9509d87aa677da706007f0570b5755c9ef17a4c7

SHA256
81830e2b6c43aa239a88a7671f64bec908ee2bc4edd79e09b1359d33798a3b36

SHA512
3ef21b84d9b6c785e4a90b4f1001745018e1c2806868e53e4216e1f76b9eff401d7e709847e2ab48ebe12d4612c6ed56c4c8839ddc1b512abdf0c43e81f7aa9d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c218533c35a86b48b8a470ab2fd636eb

SHA1
3e31c18bd5807b055f00b3de483510af5f55f5af

SHA256
b5049a0b5b6100e443429813dadff1c36b3c3a5c97ae48dd4dc1d6548068e894

SHA512
f1ba949c257981585036576cb96405adc741c8b5ea8ea662e836ed7a2ac965478092ad444b6d485daebe6b4847bcf92c7a49271ce72082c415c3a8d1f3ec6c7e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4021ed10-25ee-4435-b2ad-4422d9bd3d10.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.4MB

MD5
aad7999cbff5251467ebd04876b2885d

SHA1
659bd6fe10b2e0e8c45290d1af94e0c9a82842ab

SHA256
6cf78377b5d817bb19f05b9e42a688c6ff336fea6d66e93979120b160be9b712

SHA512
3343d82c53cecd276952f24fa480e90091a528d5a700eac52dad4b093a0a3174440865e5b18eba36f9d520f5b1487814c3c3ad5faba8b1fb1094b477a3e4cdfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
532ec7802b905d810d1b5b1c3690c6ce

SHA1
137cd45f98fa1ce68adee17e6c69c9a4d2b677fa

SHA256
bc35c4ad041d773e23bc3dab9a9efa46e533ef11252cbb14cf2d61cc8e3bcfef

SHA512
a2fe0ba5576c2786ad9956070b5e82639d59009712df4ffd877fab5c38bd0b85e89743263051bb0ee4eab85320f91feadb36f2159d2d3768149d9dfc59184f31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
428c37b48b7f08efd0df639640973b7e

SHA1
52ca1284e5978feb7a97ce5fca5f670b9a9fa146

SHA256
49fa62ceed8fcd394d14de6bafade44c1ab63b77cdc3e94a280ad49000e3e103

SHA512
1642b66820217e45a6f561055d2029191f390679466549d61985fc977cecd53d548f6b9faeaf40f6d662bc7a0f2fcb7403b41b7569223cd268ffd89ae3b34f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
c5ca7746cb86a1987b5af03b09c9c62b

SHA1
6e1b085384db49377a0032a32fb7f376976e602e

SHA256
26891ee75eff4941191990dd6a2e690d97a18465887e0001c83c5a1dcd70188f

SHA512
1e31bc26356f06e75a1fc1ee500b9cc27e1b98302d082943949aaf1c345984103bc0b790fb9b92d6b86ef05e6e0a969e1a1def3256863439c2c51949ebfe992e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
72eaa3027197e130b99a2a1618d3f3b7

SHA1
67e441f37021a4c4613baf1cf5ae18e6af56ed94

SHA256
9833a7660bcd7c151edb62810e63dca84230aaaf9f6b2b2f377669b9354e89c3

SHA512
63d19fa5154f0dbafff7ce7f3b1ac7c16ecd4f160277f77c31a668478d709657337d7a94cc524ef1abd3ea796f0d8400d04d3aa11604a09ca3b9c4a19075b991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
552dd56f4ca88dc7cfc30516144c84e6

SHA1
cfb24976ed9362c5ca98283c035ec51b68c8a47d

SHA256
c67e75e417ea535722da4c281eb7098244148e9ca40002ec5bff9f35cd0d4f6d

SHA512
7dfdc4a17d409ff1a8e42dce66672d2cd42dc7325362531512b2a001ec88310faabbb1310b597356cf3e41c9a3bf7d8277d3a5501652d0cc831480661c2b80f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8a932e7cc85630c893e6e9054f64fab5

SHA1
95c22ba4fe2ed2f931cc8af27397ba6c2773aa49

SHA256
b83afc8cb4f95836786e80ed57c689446cce010cb4b129e6232c02be92dcf60e

SHA512
f67e6829eaa0985f6f2d4348c5629d616d74ddf88b7ff95330c23a8e6a00483451432bfe663647cf9f85956a15e12269b41322234b84747e0e2ce09b18032ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581b72.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
455a5f9ca2700f557d5339b9ba5c0de8

SHA1
c1ba1cd33d214b7278f0d13cd93da496d625e617

SHA256
98d673ca0c41ec3a1f304c4a45f2f365cb3b19e6025b265044301c661e1f9f19

SHA512
3ae47b1a8956f6a5556a7db99ad8bf0f3329a0e29d9384b401f9c179bcd03205cfd6937c201e86e778e46bf04b7e74563091429e63fe0fc9c8d97706bc3f009c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
abf2f493e0020035587d4d3cb1f41bda

SHA1
a8e2502fbf11e87f8c86dd5f0ddeb183930d7122

SHA256
3164b0495b81cbd79802d5a7dfb7ff2143e9aa4482385912f1cf2bc756fb88d7

SHA512
ea3515896861953a6d1d4fed34367860436e551377971d2cfcb740abfd71767a907fca2bf8d5242d6ff3b5cc350cb04cc3b35edfd32b9866a526bb359a627db0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
2f8ee0ba1701015b9ffb82b1aed70186

SHA1
d03f780fb56f5e92bbac7ad79e9c15cd06876221

SHA256
3035b3712be0e7d33ed7ea0f2b6b0f4556ba111cbf8f1d20ebefb166beb39c8e

SHA512
173bd680bf642a345d5bf7475bef6550f191dcb31ba9d6db00e7ef5fe388a6d934474968ac7d38e0dd861c7640025e6462706968ce7bd587f3e709595e71b76a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
a9f93d8e6a2e8734fcce31ffae1f2417

SHA1
c59d8bf74a42fae5c29bd4d13d0d99299e8ee715

SHA256
b317cb7e9cf18d93d8637ac5dca9578e72a39f60f1e9b1f13a5cff8a731ee1ae

SHA512
80c2991d635540705717351d5fd68b11855408ff74fecd9e9908cf0190b2c6b9c2902532abfae19e6063f52a98a31262d8bf3214e7fc380d63c46ed9529c82f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
a11e692ea2e60387876cb1cf8b376182

SHA1
ea230a200cf78bd28ce19b1ea3031947cf039f1d

SHA256
5cdad53e39aa9b1e8e978c944f3e1d009a5f0f459a9253cba40f173a360c88f0

SHA512
a41e9a64ba74e59eca9eddd4ad8caa85211f6cd01ae6cb56f4c9ac53fbbac4a05d1d6f032ddfa0c946e9146847e6c6dc7f37e663cfef5cec5f23072998315dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir556_1058999806\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir556_1058999806\e36bb88c-1361-4029-a971-47e5dd92063b.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\a4e016fb3e2edcd.bin

Filesize
12KB

MD5
43ceebc263545c09f123e96104e898da

SHA1
7351ede22a8f459b329da412919829dc1ee2c8a8

SHA256
bdba291bd51e5639ae6abc2c09eb1b46fb9a0f00aae57699f3d2dfc384422e19

SHA512
9e6fad0b265963ae3b89423f4e2948c9956ae3cdd51676a24da968043f99cab5bc643ed8221f235ad441ae17cf7a60fd905213eb017e6214984212ab7951b12c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4bd1fc9deae4d31f41b5a438e141e3f6

SHA1
4ad649a8401a89482890d4c64636e2c3eef26508

SHA256
1fc44f64394d3d07152e9b799119a4b4228cd2ddb54d96774bf2e248acff8f76

SHA512
a7e36e2ee778140c563c97037f72e904ff1e1882671764dfcaf5b4fc26ed74e0c713fcc64ee43512df1b9f64a3963e8480c660adfe927c266be7c03fe767ba12

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
08ade1837378a4f7dbf1f01c634b2788

SHA1
856b706e50f8373f2c711446e7f1f150590566bb

SHA256
0c3c2779c8be3ad236b37bbf0bb9e67152021775ba583f49f0e607b3a1c47f4e

SHA512
f65d97fda6671ff5b7bf9527f54a7db66cc05d7580ca2c868bc1a60bbd88dd4bd9fe4ba84d05c91e1e8770fb3e06678d793650579a35dfe324285de9200c6827

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
53d6d8baab3c2860edee5aac818a228c

SHA1
46c6b820191eea8f95407f8ef3a87b29c104160b

SHA256
bee7bacf72cf3e4301e10b48ea8490932dc3af840d0b84a19bc7c17f7d9e0153

SHA512
9cb674267670ded97af93826ab6d01c95dab1f5c5fb2e77be5eb08b3e418c2faf9d6f98910be46214ddd8435575f2e51945ac93d84aa57c854a8fcf0fe107eeb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9784cedf10fb9c994b98165252b655d3

SHA1
31935994b821964e40c7592c2170820dea745003

SHA256
ecc7dfdd0df88717390448d6aea863c56f708a0c912d36377791ba307b00c452

SHA512
050493e422a738fe80e512b7e5502b96c4a661c0829056bd3e858476a795b80ebc39ce9d6252ce1bbd89d3c91009d71f058d4ec49ad9b9bda45e8625e830e059

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cd67012d66ac12e02bdeab16ac6cad03

SHA1
ebf478c9110492169deb0edb4bc1dcb50753b3d4

SHA256
db736d4ebfff65a6f5c968409273f90713ec2f48f4fc0ecd167c618bfd7cae3c

SHA512
36308b6c810ccf83f2f8a86b2a93e2a2df5cc764750b42d79a3f3ea97f39a09751e95d8bc64b2f83006b01595a1279921773e9f73cba6c7a928ee1b269418443

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fa5ec309b44b3d63afafdc5187ce534e

SHA1
67f2ecfa66a7a4928a14fc607f3f353f3b88a723

SHA256
28a4e487571a53a9b4f809daadf08a064855544a923d8d3c07069331ade01145

SHA512
1a0aaa0cc98bff2a089b052651084b98b013bcbe3de040d1316108a35b1ffeb659f5fe9602b5b0bad99e7796567ce9427069f3c7d99e1e9fed2be37fda73b261

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d623f456f6bc32bcae4b27347b7f9f87

SHA1
d394a5c5b29a33368861ae0a08e2c5bffa5f2aa4

SHA256
d156193305dcc32ae1f4b69ed225d2428cd44d551c497b535a927aefcf6a0c04

SHA512
16513c7af05de799e34939bf809b3cafc8c3c5d282b8867b2a25f546f6653e6012f62b4146c89e769f7d19a98221afea512d96f1db51da5f917e050cdc12f95e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7411b508e7123dbe0e9463c06d9d9c8c

SHA1
9945be8a20c4264a02f1080804c29fdced8322ad

SHA256
1e9a238fa51489f58ddd18fab3310741c0c2133a671ffc34da444c8b0145fbce

SHA512
3fed50941c3a4b0006919b78e52ea0eba80a26aec2d2543d8d339c6c4b35e88bf3fa24e2fd625af5700b9310af71cde6750fb26810413401e471fff000c8cfaa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.2MB

MD5
5d988ec2b05074615d2675433bc0e882

SHA1
856a30a775952806d15dba5b71c542571870265c

SHA256
f6f61b950544a1edf01afb33061d5f2cd6a752b4ea2d2e993fae9b8f33f5dc20

SHA512
cafa7cd94f2bee5ea861d5d72aa128a7befe8a8bd98f9a015ad86cd6b4a9932ddc128deb8ab2927132f5655ac080c9cc1c8bd3a5512b51045323bb6b46a705e7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e0ce37e4b8fdeee6a2d545709cd9202b

SHA1
eba7cda16f341b81a654c78623593bc41cf63628

SHA256
81739379d3c6b792511b4f6cf0f70eb92ee7e5c858b1339688099b78c8ec9067

SHA512
e9fd113fce1fe666c7f9412a85a5fba3c4ee098a260957cd433e87d0fafa33d34804b2dcfb42a800391bd7e0e6a5cc1faede52f3c19cbe377361e15d7bfb7b5d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fd56ec986d32236e363238d462a7bb76

SHA1
19a64c95f7f77fb4e0bf47e79b675c07ba5003e6

SHA256
8b51d489630232b00afc3a1cb9ac6ddcb5a0cb3c87d70110e61d715b5bd5583b

SHA512
86a217d1e29011f94866ba39cd0c4558819bfa3c18248263653af7e5cd3908d3d4058a5963d604815d7ac899190961174cfde4efb4db6292788246008b35c3f4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1673276bb6d4895cce832e2e18cdb1bc

SHA1
d1418091360211c17c51f92afe11472f2ecee3fd

SHA256
09f1855026be05b46512bb28304ef83b9ded3c88678d4a0f4dfbd77a0259c750

SHA512
1208eed800418e5781943468c2febaf0bb97a88fc748ea1569f5f162367fa4c42b8f6581c72ebf8c51f648c5da814dadd261c16ddd32070af62e40c908ea00a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f6cd0b7533ae89a96dcb68613401665d

SHA1
a41510ebaa0a331479b00e88a70dfd855a7baf2f

SHA256
fcba55979420fcd826a1037087667f1c7708ea2f42962b840152481f8f4b93fe

SHA512
0a8168ad275ef7ae670b030cef7e0f8e823aa053d97e7dc21688939a594fa0d741ffc4c4be6d85c8c57e32f1ef49a867942a5757b0afefaf0d7e4d78f642920b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
390411b9d83192c19546e5613443c212

SHA1
2ed117cb64bfa415e8fa6fe8a9af75f30a832202

SHA256
0eb1b56e3ad86ef98399eb230db52325acf9a1fa40cace1e4360d9f76260265f

SHA512
b6f379e61274e511ac283061c4e330b3ca221f57e24e876e7628a85ba31947f84b46dbc8b6d992daf52325234c0f19c84be3a92ba884a1a0d68c2cbda01e4137

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a2d158a886ad6f4de9e0d884b8545677

SHA1
a910e024a2cc42cbb150cf29dde2bcf5f114e9da

SHA256
21829b8f179c395f1dd0252515ba103d8dc35d74ff76532ba50a114feaa7face

SHA512
5ad8326f0a0e585b49b01b9040c214f6d36f525cb3366dee411a138c33768f28356cd3d4076219120ba3e7909e9d522ba9c14ee81a12795239c4af939ea96ffa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
01f1e99e57b740e513d27752cb825aa7

SHA1
a70c0037d32d3151c174b909798f2d0e11f4643d

SHA256
91be34d2a970203cc63d7cc8d2a3dbf2943c61c4d842bad03931c49d03adfb20

SHA512
fdf504f93e5cbd2d9987bd44555e995f07ac3861c9c6a94c6c85bd2c96153360d5bd8e71d718e721aa83dc8a05fc992cf5c244caddaa55ad1594ea7c8dcfd8bd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
28ffc634987b730ad21de91a5f5334d7

SHA1
a40c4f2f2a01b177a2b5199cb11b54134f7b78a7

SHA256
97c4a31e2f65b09adf910974c660adf287286e156bef747339d99fae7ae6d97a

SHA512
1057b45e223b95176a79e175e597d5b827a9b50fafdde74e169e4697040a9a98a5a280cb5551b5c45301e3e3b5496cc71afda7c9db4340021c3040e40b995a5b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2e7547c500a68b75fba901f272b7d89d

SHA1
a5ea7a13cbe46213eb70b71f17039a38c16f2d10

SHA256
4c2e408c84028abdc46263906bceed64fdeffdcaa8725faeaa5b510633f22e21

SHA512
0bdb9f8111b0b93bf1190cddf7492f85defebf363d0005f9874205ff0400f0313cd8d3e10fc252c733654f58c13924c9be40b054f86a03c9855ba3cd53717ca8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
179631fe50341c97ed32f77d740d7998

SHA1
df65a337ac5cae7fb1659f6448fd12a922bf57de

SHA256
cd41493c620518185226eed17128a766efbcff1939efc218c273e58ce7469997

SHA512
38ac1ad100bcda432a69abd11fa4b1bff2957c065b8ffa49553a1033418509680ca46ca6c6dd911b809a6034948ce74c0464553c68c235e9ce923fbac634b2bc

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a50410f40ef4c86ada7ba410f99161b

SHA1
278d6dffdb622ce8e6b1fa5761742571cb5b1187

SHA256
53e1fc1fedb5b0a0fe80c25b2b51ad75cc312fd30bd150384e3df4123c196cde

SHA512
5ef6b4392607f06cd0e8097c9a4aa3978d57639bf3a71b17633970bbf647dff98c433d4966b7ef625547615dc99e775d92c049c78980303a4cd4ee7673038442

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
09abd91cb3df177dd0b84c0fdafeb341

SHA1
dd305c4919ff0c268c67b5af8d1659e5bfd5122d

SHA256
f98934e24ee1bddb6800f682ce4bf8b97b51d7a9c6d3bdfebf37e81bbae80f08

SHA512
d41c2a3fa236101c92e15291634154e04b940c573ecf66c890ddb958cef7fa1e0845e49dacc92fd14220dcfc98b8c6a241e3de514727b928a263518fd3dc3db3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
cee496c4e651247ba06a3adf4e0bab1d

SHA1
0e1545fe3ec598340c3af866ef40582a7276bb71

SHA256
71fac096805e0bb8c2499c69ca58e4f8e3e8e8b137f3e04d94a812589a0e905c

SHA512
bed73fbfdbfd7f341765fa223a932a7cc75ab4550fc804e213e005ca0afe5723d402821c6bc2761e6e6fefbc146d13e05a24c00bfd65a11496f3e15481f6d58d

Download Submit
C:\odt\office2016setup.exe

Filesize
2.9MB

MD5
9255e0a4d3af6839ef7e553c8cb0a014

SHA1
10180af1206a6a5784f03eaa9d1052af55bdf7b8

SHA256
21144c2ddce9914d50b90089e9f56574df757ab4781854cbca6c3f00c34a546d

SHA512
df85fb2140382c9b792ee8bb88a50fa92c5f1082b456f5ad5f1d3600b6d1c5ac88dceaecab86ba8a587778eae382c50f26632426d18019196883f2a1a643e3be

Download Submit
memory/456-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/456-198-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/456-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/456-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/688-89-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/688-91-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/688-83-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/688-253-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1008-65-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1008-68-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1008-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1008-59-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1008-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1216-376-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1216-168-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1568-822-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1568-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1616-315-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1616-156-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2284-104-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2284-96-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2284-110-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3064-80-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3064-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3064-78-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3064-151-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3148-111-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3148-282-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3164-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3164-0-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3164-9-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3164-39-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4580-35-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4580-137-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4580-26-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4580-34-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4688-300-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4688-138-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4828-17-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4828-95-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4828-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4828-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5180-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5180-974-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5188-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5188-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5268-451-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5268-980-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5288-199-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5288-450-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5444-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5444-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5444-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5528-554-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5528-222-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5568-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5568-973-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5636-594-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5636-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5712-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5712-984-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5844-743-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5844-254-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/6056-771-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6056-276-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download