7d7208a18d88a2765b7ce330107f82654490d2d379d11ffa1b5d3854b41378c6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
Size

3.2MB
MD5

2e513c8f13dd7eb389426e86f1727d03
SHA1

855b6fb68564a52aab40f4977fa1ddb7d9b266d5
SHA256

7d7208a18d88a2765b7ce330107f82654490d2d379d11ffa1b5d3854b41378c6
SHA512

ced4dad715b30514bc5fd52d5c9c914d070bd6de35f764e1ba1b2a251c84f59a2888f25d3174460fa18fe69bac9f17bd2338de1f5de86e676ade625ae787b776
SSDEEP

49152:R5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbwwTU+e0Cks7R9L58UqFJjs5:hNhSMYw8OcC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3432	alg.exe
3388	DiagnosticsHub.StandardCollector.Service.exe
792	fxssvc.exe
216	elevation_service.exe
3220	maintenanceservice.exe
3884	msdtc.exe
468	OSE.EXE
5164	PerceptionSimulationService.exe
5308	perfhost.exe
5504	locator.exe
5600	SensorDataService.exe
5912	snmptrap.exe
6104	spectrum.exe
5956	ssh-agent.exe
6132	TieringEngineService.exe
744	AgentService.exe
5476	vds.exe
5564	vssvc.exe
5340	wbengine.exe
5384	WmiApSrv.exe
5392	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4f5f988b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e85e0aadac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042f252abdac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a9e7aadac5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041f714abdac5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000995763aedac5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1bdbcaadac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000790793aedac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e91aaa9dac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e4153b0dac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000035ad9aadac5da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
6076	chrome.exe
6076	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2412	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
Token: SeTakeOwnershipPrivilege	5008	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeAuditPrivilege	792	fxssvc.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeRestorePrivilege	6132	TieringEngineService.exe
Token: SeManageVolumePrivilege	6132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	744	AgentService.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeBackupPrivilege	5564	vssvc.exe
Token: SeRestorePrivilege	5564	vssvc.exe
Token: SeAuditPrivilege	5564	vssvc.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeBackupPrivilege	5340	wbengine.exe
Token: SeRestorePrivilege	5340	wbengine.exe
Token: SeSecurityPrivilege	5340	wbengine.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: 33	5392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 5008	2412	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe	92
PID 2412 wrote to memory of 5008	2412	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe	92
PID 2412 wrote to memory of 4644	2412	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe	93
PID 2412 wrote to memory of 4644	2412	2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe	93
PID 4644 wrote to memory of 3876	4644	chrome.exe	94
PID 4644 wrote to memory of 3876	4644	chrome.exe	94
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 3112	4644	chrome.exe	99
PID 4644 wrote to memory of 2116	4644	chrome.exe	100
PID 4644 wrote to memory of 2116	4644	chrome.exe	100
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101
PID 4644 wrote to memory of 700	4644	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-24_2e513c8f13dd7eb389426e86f1727d03_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x2b8,0x2bc,0x2c0,0x28c,0x2c4,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ce9758,0x7ffee7ce9768,0x7ffee7ce9778
    3⤵
    PID:3876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:2
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:1
    3⤵
    PID:3584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:1
    3⤵
    PID:2384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4060 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:2340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:1568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:5320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:5416
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5608
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff798117688,0x7ff798117698,0x7ff7981176a8
      4⤵
      PID:5692
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5764
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff798117688,0x7ff798117698,0x7ff7981176a8
        5⤵
        
        PID:5796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5416 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:5756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:8
    3⤵
    PID:5652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2644 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:1
    3⤵
    PID:6876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3524 --field-trial-handle=1868,i,13310693602823512399,12912609465812614017,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4312

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3884

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:6748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
bed65656ad0e23276a5cb11ad060a8ff

SHA1
52a3ca47ab51b3966900b61e67efbb24a607ea25

SHA256
02d372aea8974018d44cbe2b3651d9e38021ae6d32772b4fc16784f2b2480aec

SHA512
c997af283895b78a7b636868a40ccac3a078b6872e61e3aa1af4803f4e4975e824019351fa5ec32fb332317044bdc3fc44625708358681add56dead7c9e051d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
53b87e7b44ab7ce15f12a86c29b9a708

SHA1
5b954625642c8ed3126f1572ffa8e2d59242c1eb

SHA256
a96d66ca2f2f889c392fc65118b8724a05b061693823275b9426dd9c02aea74a

SHA512
778fa8749bf16460db40ec9cf1a034ecc0b13fcc5ca2781b5dc1eeacdb0eed676fa8b673be8e50d7b424e97db9f33585658339d32167fd290b60e87a8f1ceb76

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2ebf368538b051394c11ae82bd14d9c7

SHA1
f83394f01f3ca375707d40a10e9fdb1b061276f7

SHA256
7304c8da8971f2ca7ee458856b964622b82d2cf3b93f5f4cdf6b54d9b0a9a888

SHA512
2f5b8d2f8a8ccfd9485ab17bdd591de49fc135335d51aa08cddf98250c4ab298ac3dbd0a2b489386c4ea4cfcb1cc81de6655b6437b9abcc27a9a35c335321215

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
978dda50623578f0f12c5e93ab262a72

SHA1
12bf4a328dcc1b2a40188d134e2d4d5172b1837a

SHA256
5b60953b6c5fd1d7a588b29b67f0cffc75b149c6a689a670f610abc766f875dc

SHA512
d90f2dc726ad5bbb8e448b7504583a56be3c8fecc3acabad152653f72f334ce792a01e07c14fd65cdf96186b61624993e387e7b13842663176ab9de5b71ac3b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4ef628e4b85820ec1ca8c3decc3e07be

SHA1
db1e9b9c445a2bde5952d490d6c0fd94a51784cc

SHA256
74f3c7c5226b33541d346def100542396d0bc47458276eb517e303b31c17bd82

SHA512
204db46f2613ebd4e8336f2a07473d767f4d417ec1b6e23eda26d1aecf2e36aaf628163abd69746cb2db3fc42a8e86b6f2b24bf6a73b4721566741d4098cdb42

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
b609f7c33b0ca753aca2c84e18188a48

SHA1
8b10bf4eb944c54ab8e2890a24497d9b77fd407e

SHA256
7a01ff1f704d54d94605d311121f9e6e1dd04eecd26a33c6199d6db919a91537

SHA512
5a09b7807f749fdcef5cae678a09ea0c3d4dbce3ede7d29fd4bcaff99fbb8a11a05139e0ae76705a1c9c76ef47831b37b136c568f26466775f46ce4e5442fcf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
23f9bf7e3df1e1453a0c11c451d5fe88

SHA1
5e616e75032b93a7116ee19f38eb9fe194ce49fc

SHA256
5723d2d94d12a3aaf9f91b9fa98ec5324fd48555a6a27f1397a6bac5eeb6685f

SHA512
6c24cb513f7a5903ef4fa6ee90613a6573dd9baa304b191e139adabc9beb05e3e2ade8f46dcd7b53ddf7a0a893a29a4559f6a281d40019e4b095cf92099f9a45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
276c0e5017cb995ad2a00dc348f415aa

SHA1
4e6308867e1ac77cf7e9704ae34e2ca082060f8c

SHA256
054281f1c056c2eec180ca8a3d0cf9bb9cf2ebabc93011cabaf86547450a01b0

SHA512
fdc70cd88a7a503bc327c13013fa9b692b89d2f9b8be6e9d5b88131533897db82dd9a6dd036033e08ee08813c44f6e9f82dba5495c1dfa401ddf19dfd2175bf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4071e2cc92759591efc0883283b58bf5

SHA1
736dc1509ef152e22ccbf42e87ca004648c49957

SHA256
e9d23c21138258f5e979f229bbc761e9f517f05dfd0786724be8339459482124

SHA512
f5b244c0b5eb71367978c7d037e079b4ab3dd756c41de8f357241ff3c8a60c1a58a409091c807f9f0fc93dd8e3719be15dc612f4d18713d4da6890264f347726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
91131216d123ced614078efc2d131047

SHA1
aeb10a7702635f4f1159d5b112a12e6f039448ef

SHA256
5ae38109c66b4b61c72f74a73644a0861a98a37a7b36ab11b721178caab7a0af

SHA512
f4687b0f0ef829b98a2753702149a242f5479a837c872a77b50be4553aab2cb633f84c4a44132fdf15ff1819f789308168631b8817995ed9b0cad7f47bdf328c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d334d23afa461552aff1ccd4bdfb19ca

SHA1
1d976680a17fa4b630cc1edd9593c798a4810cde

SHA256
ccb9cfcdc3031bff044346eddbb7306be047b4a0978083f7b7cd0e4301ff3713

SHA512
5b7f412c78f9ca21980691c3d6e711747a29ffd0149c1a75816810d23566b4571782d6d8f767f155d5385818261f4d35b65b1de6af849ddb01be69ded8c9076c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33aa9bceda0d1f832c7e581d1bb21c77

SHA1
0ce9d480939bb5773747998feb28f72aafe13d9b

SHA256
3ff329e4a6d1000501d2bdb7fe355fe518107843b674acde16bef33bfa0efe0f

SHA512
d13d29a514bb87ecaa42efcf9e271174b00978595547be797ea5710172f229ce285d1b3d647999fdd4a4e9b0f2cc3c7a4c37dac8e9a1632ac6a4e8b97ca9ad97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
86a40662de8b28be299e0ba1527e90c8

SHA1
b2f73fd4017ee4f05f1e45ed58c19465cce4ba8e

SHA256
3e4f931b190adbbba1e5290c769f720dba50f45a41a60d2e8b7d4e3dcf211108

SHA512
10b5b0f0e0a7691e5446154655f51cdd06ee5f18365a7347113af6656156fc4744f6d38255aa6aececa488fa4cfe34acad67df562d1daffb35bbfab6e8b29ee1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cd78679023df46d76e50df6d584c3da4

SHA1
55cbb047f96a7897d55cb5b5d2558ec232589e0d

SHA256
780b341f44d8633cb36186869fb6c2fbd2c829913f1f17db482cacea9fdf18e9

SHA512
594e8eecb4625586ed1b1fa5016abe5de87b399b5bd2f7dc9187753e063ab6803d20218535e76c8c11cb7cbe6b80c73689532c2b29fdb6508b342929fb0480ad

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\015c59d8-034d-470c-81bc-863c020f4f5b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a0a2682e5595d4bb445207d6a0eb5810

SHA1
28a3266ab469261511681090ffefbdf491fd529d

SHA256
fab4cc210a768c112167d99bfdfedaee1b1f32b814030b269bfd19bd370eb914

SHA512
052aa9e02ae84fa60516ce3a3b869ddd9f2ed4f6f6f4f51e0868545fb77928ddd048a7a00637052ed5aced0435b1c084a76ed1867d323cefabfb1b5b78fef627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0679e767bd250600a3ca9dab33c541f4

SHA1
3ea0be46407f309c93c49feba360f1db909e34cc

SHA256
891069fbcc7206383fdf41ad5281c2d7136a929c6401e9b998ce2b81297e2aea

SHA512
5203a68216a79286080d6cefc59220414f218ed092fea4dded5ae498eeaae4976a12120188075709b9df8170bd21838395c3f9c2666ff3b206d4dc29e59ad030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
65219931b1894f68863fb2403027d744

SHA1
7b1103a90a637639e7538ebb3e9339f7f4e9df0a

SHA256
4dcf7eb26b1812b535a623b40b7d19b80e243650dbd0dff6a490b1351eabc4ec

SHA512
f9cf2fec045402def529b0a1df12360740c0dd62651a98399fed312b92784a9fc52323f900c4637a3fc4ee8118e6877cdbd9b617b697858f1a1208d60e944e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fb5da10736ae7c0add0b6b52b92bdb89

SHA1
aa3da8b6749719c59bacd225c81cfbc8c89c5257

SHA256
ea7435d49c941304d6c2a07b41c150e1dee2615f0b68d0c7345da4ea067a505b

SHA512
615af5ef3dbf826425eebe0729c26490d370fdb4ab729cbc955d61f59ab8638f0b2af504300f5b4a275d9eeac17544258d8532ac60c16f4003411f4f98755512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
01f16a775b07e374ab51ca6ea74cece4

SHA1
3ba23e706914a9702de6d1c741ab10ea27936e87

SHA256
17cb2c32509e6a727dcf9ea9010f96f26a13abb1207de50a442b6c31c0c3b3ae

SHA512
38b63f02b1e4233114d55f48257b696175cd4f9f94a94eff2b0ad8730529022bb21c36c0d96693740eb94e9865e119323d8c807395fa196242791cc3a70281c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
852937fc56f159403501b8e17e7e5733

SHA1
3a8ad93d8b5f3f842897ec8ec59994dd4316fa6c

SHA256
0c1239843c3914991d9da284b1e227492b3c687f2841b75702ccf78dab0dda54

SHA512
f4552dc9e96f07022720193aad2f004fdca0d49eaa0120ccd1836533f4a46fece8201442eefbc724f71195029dece73fb3c7da376d815010a4c5a71e1a386967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fea146b99b15dc2f269ccc5d93cc6a76

SHA1
44092d7366c4599480d18b0fe2542aecf69592ba

SHA256
aa7ee79ed79ec11323f7e7cd4f7aa3534c66ab6509cd60c401ed6425466c3f52

SHA512
16ca0eb92571a28176a132ec225223b9576f390285bbeb60a553615e7e5b27551f78a993072ffa57ab5857f147bb809fc7ee02c4504dee368bd930353bacfe19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582a95.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
fb368001ff8a10e4dee757e4fd897c2a

SHA1
8554e3cc3dbe31cba8c410670d1b1eca69412a91

SHA256
2e2f2e08af7fbb32ab24f079533be78a7ffc33285356ba5095f62a780a010be0

SHA512
6475ecaf3f3613b8b0a3725cc03c6e0fc26d77aecd232f48eccabd5dfa208c9b2e15435e9ec28477921cc47f70b8542152b4cacc1c1a8cccf6f50350f3230780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
584598e799394000990d1200067bf058

SHA1
25b8635a98b9ecbfb7e18a259aee7d8c8204ec96

SHA256
be2d04ac08f6a0e97c486ab339e6455fcf5d6ba0071dcc2eaba2cf4e3dd9cd63

SHA512
3fe557ade7ee7db4d06da55ed81361903ce02d193d14cb23f4a5b5580ef9fedf2dd9915c3d2c3a925b3544b5cb90f525a93b7b99ea1a839c42cc2943135a331e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
56b21103b1f011f6490b1b773bbd652d

SHA1
27a3b9575048d22214e2bf5f18d997ea4202192b

SHA256
530698afee89fe26815ef9bf298a07220d3b46b1039f27cea1621955232058f7

SHA512
db1b655af6d288ba7e61aa178922eeb8a562610b27151554be2b206f2708c106aa1201492bef6cc1ab7a57d2554cc0e189a695a065fae38b983f9e14a96ff005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
00442b1e46d0159a3a9416508fc27ab6

SHA1
2da1d98a99fb42ab845aba112a16c18704329fe8

SHA256
be8bd015a9e26d2eed35f80b39bc820214733ddc77f915478f534d5a8edb9bae

SHA512
b658e97677495e911ab09ae4f4047ad8f7ce965d0cd2253047b5eb6989ff3b9af18025ba846d6b69f95b7d0986d6fb6424a01ecc7d4552823e29617c281d71ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
bf520dd01499a6bc891b4bf848478e55

SHA1
35e91a244d53b0bd3b9b6ce4c7c0c3c35d735791

SHA256
0a171151eed52781b5a591704923c0b55e491407083c43e4870fd4f1e455b11d

SHA512
3c591af880af1ddfd627454ce9da012330efddebb417f6b241f3afba043afae23672d520312dc0c16faaecdf9df6588d8697989f1cec481112d614bf07c0483d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4644_872966225\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4644_872966225\f3efe308-59b0-490a-a5da-d4be54da6ed2.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\d4f5f988b3e2edcd.bin

Filesize
12KB

MD5
5a156a81eb356205b798452307421b68

SHA1
1d283ba2dc0c69c7f93e9d1776aa46d7be6e224f

SHA256
880af893459ac42a7af47d8d3a4e0e0f920a1a51620119ab7836b36dfcd5514b

SHA512
c3c87baac3493fd6b147a51e1259b7912bed2fd8420ef3d3dc69cb81bf4b415221b05362e505ffcf068071fb32b92a3baffb071ac0adf8c3a7f64e3dcf204325

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
872c754203bd02837e0361ed40c02481

SHA1
1ddc9a6c2e272a4e693a66c940559e84a91ce431

SHA256
27d5c7718202f541a8b244cdca27e338843e01d08c320c09ad7073a84dd1ae20

SHA512
b47dbd60ab9a0f4273383ef04bed690b5746a1a9cb5e8f03b05c8e80c8898a3dcf5a20ce64c82f4aba4237f9414ca9c12021bed93f5d8c4d87ff4e3215b53fe4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b199968f8c6173db8232977ac1950a36

SHA1
0ae408f37198969ebb6fe5e97c26d580779c3382

SHA256
e11b60d404e4f31aa710a0583022044f58d84b7112eece873378e4904e47de73

SHA512
bf2c7dbdc8f798b18e134b7491bef082bc8a68ad7ed0cd3413b36fc1f7197885d21f0d367a4452d238c12d3fe0f699b482ae2717095e1ff27a0bcdc585587817

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
4ada18979024cad653f50f602c4be89b

SHA1
1b78d1f050cdd7befa51be27b50d80ddf9905057

SHA256
e1455aea670995057b709f293229145f97d69e6be58378d54f6dfad91d2bfdd5

SHA512
5ae8919dd26899d2ad0da3aaab79c0dfe1b6b2c80fff0b79c07bab9c93d47bd2ab4312a1698560097d23ae3e8d3f15aaa1f0ac8bffd6d0e74dc49e984dc333bb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77d6bd61afbf17251994cab0d2d296ee

SHA1
2b3ea154be0f8e3fbc5232ad9fcea3cd6c3cfceb

SHA256
27ea5cc033b8e2652bce36d3eaf08ac5830b4f67a3959fd7b61b9a4d48d6a485

SHA512
006bdbdbac0f01507682b4a85bd4d66768bf97049602a3e74cc54e57d564832c733fa67f0fe8d5b7df0fa876b4e9b65948a677bd6b15373c43cfb385d87f6129

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
eddb454d17645d9fcc50518c1cf88a13

SHA1
a61b002d374d9117d1312124769281b1dc39acc7

SHA256
3ca6a7d9e65f64bb358362943c14e7ad3062eaec0787ac4951b4b52901b58969

SHA512
cdb7850e7a05e4afe5295ba6108d7ee6208012708b0917a2d56a78d022fa45bd8a845148641269a16208bcabc6c0427f54c6f6f0168989d637dfef99f8032eb9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6083b0665481bcd2a68a00b23aa11430

SHA1
882ceaa6c3d6ac401f65bb26b8c788715cead607

SHA256
f8905bc221ae0b987e04e07d78c053e31c8df3492477d758754a03d78de9c777

SHA512
e61c9a2908cd66025759c92df1b343fe163273a6aa99ca8ad9dffd46950d9019fa447162f2684e82fcf1c1b4ab87b845ad7d3fa25ad3353d85c7814a0537d3de

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
31c032a9cffdfe5cd7102cd7de9c5841

SHA1
46c81d8124d46fdbf54023f7da9233aa96054941

SHA256
efecd62552c3b3d06cb8c41d680240bfcfc57ebbfd51a23bf392ebd745ce90a2

SHA512
de3ed7f2865c6b0d407a4ce7c8d7d3a15be88699ca84efc9ad59414ede4f32db0cd27988319cd6f0f15a2717746888e2695c7d2e35a0c4ecf0561c4a9fc99919

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
41fde43a1851172a3d8a579b7cb42b8f

SHA1
a247e96b5b6dd051d92bdc42fdf4d86aa0ea1d7c

SHA256
d0f6ca95cc9e7c9a19bd931cdd513314433e04653267ee53b8418972e8da61c8

SHA512
74ef6a2ec9ebb5472b51ca3749f225239ddb9dbd959eaa044762a0259d9d3bd486d33b46e2647bd2b1e1e4e141e388682967353c0a2b6e499f1cb0cde69ef66f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
63f694b2884e1abc2e81abdeb6035ae1

SHA1
01ee2081365c91f22e29f9e9db6396336c8c5b5f

SHA256
c42567b1e544c3745f1a73c710300078bfd6cf9d0accf68444cb127f6db472c2

SHA512
73f16c8d08a79ce5559f79e207fa5b0f2d5202ecd12a5f9b6f83235d89e867279d4f674ba2fd68e7889e2b5a86677e725621c528d4824ddb48fa6f0f484e592a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
afeb9e9c08d26ed651178e5f74c3f07a

SHA1
28748af920ca619bc37cdea58b21436f3ff37cb5

SHA256
59d340d5d243d731c41c38d7fd7c82fd0a7b9ee7a07ea47c46ac837d4d10b4df

SHA512
171adcdcd3309b627f6b2eb56a1db4bb093bcf5ec74d3ca310cd9c1fe52d21c594d4ff033051c0521c402b52e33d2778fe29f7bbc714b14e1bd70ca2f6b96bcc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
48189135c753170d5cf22f5f06b6fa6d

SHA1
c2d97f8aa9a6b3e4b8cbd5393aec9c892c054008

SHA256
765f0c77bd05b777013f60b9b97d0ff63581185232438a11cfcfda478d37d8a7

SHA512
c2f4462500b16c76ab78109ac246a99fb613cc85fb0c0a9d883743cd0c1ed34379c1789066e195f80a38fc0ee3d58f649a8b68f4fef22a9deac912b0be750707

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
66a2df7e08267d56b4e4147e6ff08cc4

SHA1
0ccbee03c36561880926ee6a0a24651dc60752ee

SHA256
83a37b7a5f00d0e9b12e92a3849a07974195837771f114de347445c64068f265

SHA512
27428c433e66a35c15e38b544203e89e748707f79806ecd69dffbff000a15705cc83e3c0dc3aae0c44a8e46fcae2a7f45c18ecccd65ae90753e31922087e8fc0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
60f947d601038cd021fa24f3888d9121

SHA1
749125104f49d92f5a9c6ed75fd2c70ff0fd3379

SHA256
81dbf2b7729e7dde46507b9f94b313c71976c821f1a9cab43df70634cb473e6f

SHA512
ca148765d4a0f5d0c2efd8eedf769c212c0e8e89ab3484b12b26c763391369829b62a2d387c6dd6420ceb974470b09b2c96db57d357db598c3437b8c2c0c0691

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
fa2b27a013f6de92e270c2702e94f7ad

SHA1
e75277a5469cf7b0da2ef55761d833fb5243721b

SHA256
16f688aa495977c3193b74e5456fc5cada4948ec647fe1baf0c28a50a25cdc08

SHA512
07460e9460bb0dc692fd694f0c508240a87c96bd79636aea8e635cc8de296b1e8d574a4aa8e36d2e96187350a196b55322d7bf8338a0c9cb25915ab05546a44c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
2d0c47a66fe3c4546472507a8b8347e8

SHA1
e5da2aa4eb75d83790db4fba34b907b6f3f2e0c4

SHA256
89a3bfa0af0b20c9eff6eee84552ddf16b7f83cba677c294a9f91aee05886446

SHA512
6372b249362a0acac7aab44cb66d6e9bd7d18072960dccf4d59ea6cfa703945993230ea7821c89bf5da96793fbbee1e9e4fa82aa58fe1fb21e86716c2fe15d90

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f88624297273cdc03932732891d6d332

SHA1
6e7a79df7803655ea54d2e225cf57f92e06a20fd

SHA256
5a2926299d850cf5a4c6157901d33f9f4afca4f608da70442066909b87b24292

SHA512
5b64aca592add63d60ec8fbda08c97639d2eb69bfaaadb180f4c98b00ed8edc1f96d8a51e1482ea7cbe5d4762db59a180ed9132e51493b3aa51e900bc494614f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
5b1fd1e40381049352ddc6b4480fdf64

SHA1
374cf9ebfc5ca8e3c59de59489dc278cee7259d0

SHA256
83c87dda71a965f028272d625e9f29a696b90822312fcf46a8a340e00a051645

SHA512
6b812ac77bab98fde2cf4d89093eb44beaeac58c02d3414b3b653eddc010b72b3f0e51a88bcc5177ec05750123fe4d41bbc462a643de5e969ec5bc909d0384c1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
476159b1b4f22d478f5a30cada5dd106

SHA1
b359776910a5c8ed5ce0658f0d7be7fc13f5ad59

SHA256
833e207faf6e63e842d1035edf8afbd99c942a59f7d2053cd680fce50e6bb37a

SHA512
3aef0354027f647c21de24f2197416e0c6729101f42d0f2569b1c6d187c7b584d5777df87cfc8745db46d0ead968042c792d63fce5f75fff2e8608c0ca72ab0d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa89d6d1fc629aa4132b704cc9dd56e9

SHA1
a2f8f983199b1fed377f9c736171db6938112ff3

SHA256
a3f0e5eb71f13be4fcbd1adcb182a5c3e11b98ca40e51526271689d5998c3d71

SHA512
29142adb66f92b8c459fd192c980de8d1239df23bafc101f46a72dbdf6e5dd6354e0d23557252fa1775e9b236662a66dcbadd1e94f432451dee20c96b41392e3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
fcbb9c952b62d0c44f7353cebae40615

SHA1
3af767de6cafbce659c357db409961827c4154fa

SHA256
141ac76eea82963c355f00e4b626c8332dc77a92901d0f13e633dd2d33a66b68

SHA512
98f0e02a4c1e2838ec64d4a9af75185b8176fb67f3f3514dbac7113660fed57bca63981a408b975b487544563dd96d80d4cdb9b4f1ec407c7b34ac0b6e34e98e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
58539cf79925c3b514323a5907a71ffc

SHA1
f9a6c7c16a97f3187a7f963fb15b1e3d02ee3cf8

SHA256
1d126713c1bd2e73137f2c7e0f0c412e1663cddf45f69bbd2c16b9c7701e4160

SHA512
fad90bfcbdf3a3a19ac48e7dbd4877207d7202198e43925ecacbaa27d07e8cfd1b4bf091eb581fa4334920847388d349311efee47c1a4fd0a5e98d1f7ae23a04

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
52541ddf7d646897f87f53e77c915bc4

SHA1
e395fef42c95f55b4ca47efe7fd1c25b8638bc47

SHA256
508bddc8f043b895e56ef0f53c96e810b317b50ce8117c4fd838dbd62cfb99e3

SHA512
a18e098137033bbf3ec706e6f994788a9222c1bdd4b4cdd1b92546dde0fea80bc542b9cccbbc8e5e1dc268f945ac2b69bafd33ca9e5be014d516da2bd5a09c56

Download Submit
memory/216-85-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/216-86-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/216-352-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/216-92-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/468-140-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/468-395-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/744-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/744-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/792-81-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/792-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/792-75-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/792-105-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/792-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2412-23-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2412-27-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2412-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2412-0-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2412-1-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3220-116-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3220-111-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3220-97-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3220-103-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3220-112-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3388-176-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3388-44-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3388-55-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3388-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3432-154-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3432-45-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3432-43-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3432-35-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3884-118-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3884-126-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/5008-110-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/5008-11-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5008-19-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/5008-20-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5164-407-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/5164-164-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/5308-419-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5308-177-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5340-962-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5340-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5384-445-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5384-964-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5392-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5392-979-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5476-819-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5476-396-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5504-184-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5504-431-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5564-408-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5564-845-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5600-459-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5600-688-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5600-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5912-653-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/5912-227-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/5956-361-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5956-751-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/6104-712-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6104-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6132-373-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/6132-789-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download