4a4abc4e0fbed9f1a6bb59a191c4f2f4a55941d32fb249cff4bb4112aecbe709

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
Size

5.5MB
MD5

b00a3892f30044849a150844b9114796
SHA1

78b904fe201f66e2407b51f046b26e343c397c2a
SHA256

4a4abc4e0fbed9f1a6bb59a191c4f2f4a55941d32fb249cff4bb4112aecbe709
SHA512

1f89c7e2c8d6ff77e993101165aa476df114fdd7809839b6e90ae134209c5635c5ebd96fda7a6464c0b6394ec35a1fe5f5a11ed8bffea48344c4128c2565d7ec
SSDEEP

49152:iEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfL:oAI5pAdVJn9tbnR1VgBVmkTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3896	alg.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2356	fxssvc.exe
1100	elevation_service.exe
1464	elevation_service.exe
4168	maintenanceservice.exe
1156	msdtc.exe
3648	OSE.EXE
1876	PerceptionSimulationService.exe
4464	perfhost.exe
5196	locator.exe
5248	SensorDataService.exe
5320	snmptrap.exe
5376	spectrum.exe
5496	ssh-agent.exe
5588	TieringEngineService.exe
5708	AgentService.exe
5764	vds.exe
5952	vssvc.exe
6104	wbengine.exe
5160	WmiApSrv.exe
1860	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d1f5768b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064e5fdbf03cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052c1b8bf03cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a80cf4ba03cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021ca58bd03cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000012531bc03cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b53bcbb03cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
4996	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
6696	chrome.exe
6696	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4836	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
Token: SeAuditPrivilege	2356	fxssvc.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeRestorePrivilege	5588	TieringEngineService.exe
Token: SeManageVolumePrivilege	5588	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5708	AgentService.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeBackupPrivilege	5952	vssvc.exe
Token: SeRestorePrivilege	5952	vssvc.exe
Token: SeAuditPrivilege	5952	vssvc.exe
Token: SeBackupPrivilege	6104	wbengine.exe
Token: SeRestorePrivilege	6104	wbengine.exe
Token: SeSecurityPrivilege	6104	wbengine.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: 33	1860	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1860	SearchIndexer.exe
Token: SeShutdownPrivilege	4412	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4996	4836	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe	89
PID 4836 wrote to memory of 4996	4836	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe	89
PID 4836 wrote to memory of 4412	4836	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe	90
PID 4836 wrote to memory of 4412	4836	2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe	90
PID 4412 wrote to memory of 856	4412	chrome.exe	91
PID 4412 wrote to memory of 856	4412	chrome.exe	91
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 1980	4412	chrome.exe	99
PID 4412 wrote to memory of 3688	4412	chrome.exe	100
PID 4412 wrote to memory of 3688	4412	chrome.exe	100
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101
PID 4412 wrote to memory of 2796	4412	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-30_b00a3892f30044849a150844b9114796_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd77f59758,0x7ffd77f59768,0x7ffd77f59778
    3⤵
    PID:856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:2
    3⤵
    PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:3688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:1
    3⤵
    PID:2964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4804 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:1
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:5868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5124
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x214,0x248,0x7ff6e5257688,0x7ff6e5257698,0x7ff6e52576a8
      4⤵
      PID:6452
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:6496
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x84,0x244,0x7ff6e5257688,0x7ff6e5257698,0x7ff6e52576a8
        5⤵
        
        PID:6524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:5132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:1752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:8
    3⤵
    PID:6288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5804 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:1
    3⤵
    PID:7020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2628 --field-trial-handle=1880,i,17876053506037540149,7771723372036062400,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5196

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5248

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5596

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:6808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
032d47a219becb665d7346293ced83a0

SHA1
7d3a87280a0b7ab48f55d6f334de04ac7931fbb2

SHA256
63cc8411beac57d332984771ee2749d4af707c713f6ed6dba6bcceae0851d254

SHA512
26622fb53eb061fe7c86832878b8226fb6aaa9683298accb935f2bca15ef3082e26ebfd0e290ae1286dc9dc244e4a41f8acf39750fcd8c14d03a90817cdd5a44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5fb50403f890edb59b4b86933384f5bf

SHA1
63224e25f2561ef61d96cdb479c595c770479e79

SHA256
6e207d0ed4f87da7e4419f0b697ccb4e86e2d9808bf6ae39b17fb2ea7e717a13

SHA512
d5bfb2ae2d50a9a159fa4cdd88bd1784fdbb2e1f2d0fb8840aa7e17475f2e1c702cd8ab6a3078f4ad854f76121178678e47d56ef9d6e97f3747828989c326750

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ac7bad8ff8dabc78c1a111ebee28c20a

SHA1
78246a93546e04a4a4d30a008ec727a7c293bffb

SHA256
664a6d3d6fcc1d6847639f654eacf89ebdf7034535b8fc401d85183f56cd84a1

SHA512
b4a14ea0ab37a17e8b9a1b2ba689dc5cb3003883d2b8c1fc445af56e755e6ee49f2416b263b611b78c5b525db0d603347a46d7568899c9135284fad8ba8eec94

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7c1562dcfd945515919f8b36832f99e5

SHA1
49521739cccee7744b99941f3d0997fe60bc6080

SHA256
001b7a002eb3f98af44345fa0a92b7ebc332c38f9c2c0d154812df2a41bb97a1

SHA512
f7e9ee8922d56ab9f18a81a7bf9b0ebaada05f5b3dc41207cf9c3d2fb19dc143e3fa6e281c7227d465f3f50725641fd598ce12438ed3bc5e5f0260300bfdb6f5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
09779c36d2e826f658bd10f96db4eac7

SHA1
8716263d329c066362791eebd5d250d606e4e97d

SHA256
99af465e1766563997757bd6ecec2914038e7d093f85ec0ba7e42d7a62816719

SHA512
7cbd934d90da2e070e9ce9c8c6ac0a955b99405abb859bf68aa5a902506b2d1f692a1943479083bcbfe6c0395b8b2268a2ba9e8d81951b0ff11ff215d99b0695

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
27fabaace58c434fb53b0ec84c968c44

SHA1
89c5ef869fb78349ad521ca1f3b43dab5858727b

SHA256
5e1a2f01244778d838a0d84ef39a4b2eb089ae673aa76da60e4212821c8a1f1a

SHA512
ab21e1c7557547f2c34911b76477ffed70f67201bdc9eaf34aad6b99b924c2691037cc95d087153a344b098b015b2f78328dee8aa70c8c2742556ca045877c00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5a76786deac3c753300d47190b2f887d

SHA1
b8543b5f7e9ee7a1550f74f3afce91e888b26742

SHA256
bd43d23d6d9a7cf5df36ff3370bf1a8b27acdd9d1c9a3f2c78905c9d75a2ad09

SHA512
dbf6651397604a0804c74985b659a5e623589a372947dae1acac27996c32e1548b7292a9c44ba7a6a467dc6ed0a3021ac1199b142025699305b3e204d27be77c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee0bd2a2dd353b346edb63326d05813c

SHA1
b24a85bf2b709063a2b10dda1ac978ef3f0da3bb

SHA256
de8cd0b09fc2c6ac5f698562e535c5e10b2e03f4c7199d9c812fcadcad384d0d

SHA512
b74d9b3a311fe15344c506281aa4d833bb215d2a5056363e9eb39799289dcf85b33cc3778965e477eb68846628ca86cc8001e95e07e11015f4800f47fc220e28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9b810d792d4e9899590eea6e0a3463c0

SHA1
a47fe7460b03d08203ca79fdf090c1149b167a7b

SHA256
b26772f1eacb9a53453c46a3a0119849f86d682410bfdc1ecb70e4c54bc72fd4

SHA512
d3420d72f0956f8979e0e11826bae61bcd383f559105d4cdadaa1baffa24a9be2357fb8a71c6623e753e5c60be7f805f031fe31ac957737d231146b4ee7a7be8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
545054ea63df4baf0c8dc75fe0b781ed

SHA1
41ca2c26c66f4dac3afbae7566d19310c935646f

SHA256
5051d69590e59f7b818abc097ad7b9433172c8b023eb8d05f984cabb8df9f3b9

SHA512
85737db0c5b6a24179343af4e8c97d3915dcc09c1c3cde2fbe2705452f5a98c633291f885d4e5ebfd520b3d0f80c414b3f78c7deeb5e27fd350a50714514b35a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
56bf2c317a40028791e7c4ac2c170fc4

SHA1
2b3d62c590b3f7e515189437ad036ef2580b383d

SHA256
104cd7beb27a3564cf27039849cc06e2580b077010fea03fde87229f27208013

SHA512
f58131fb5e08434e304e881f1af615bd5419ba6a17909d5d71651288b0286cc1e5caad9bc7d8f693a4edc5c2dd02cdd70b55b014996b622954c076d42c916991

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dd4362cef2a824b3e27986d485c39247

SHA1
1e2ad37ab6f11a5836027ffb7fdb440112073f0d

SHA256
71a2cfc527b3c3c2a052b0c6581198af6b9fe71ea648c810aea23f597537eeb9

SHA512
9cf966ac247af4de876f75bf709912ba8a88a2b24d06699b8bf60fcf350f8c27cbc3084f815edb0cc6c269c93cbac10a9460734a48f885cfd1e82b48b3cb3465

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4aa8c7fc89d6557e99277b28bca51531

SHA1
3362d9fa0663a3eaf786d8a310e5a48cf0b2102a

SHA256
4f7ba577e6d45b404a6143f9295456a3783b20e40f5c64c957a786b9d0120dad

SHA512
9467dee281791c7931dfb557908e38e3f050ed5e5c14404fb7cd738b0d8f740d1ceafbca811de4931b63abe894416a6c86c4d1d1f5e816d2d5763b9d9b0d1785

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
58d0aaaca89f1a764168919d550459f2

SHA1
762c0519d248e804b6f44dc15c8bd3c2bc928744

SHA256
f3f9f96ea83df1ea22befdb8942d95455784de1a1ba48b9b4391edb4b575231d

SHA512
35c913f3267595e1249990ae938aa2525aeadc4af6cc99a42c6b47cddf99518c5df24614c97076377515d49e5276ee9638905628a20ed16a036c6356cda6b90d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ba3c0ba5-1dd7-4ed3-8acb-2e92097e29ae.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
334d13908b659d8d77286a44ac7ae6e8

SHA1
30b7f8be5470cfd18fdd7cc6688d134c4d63fc24

SHA256
be66de9377e270cecbff540f543e1614402f9286acc579ace75a60929205e819

SHA512
58cde18255842785947fdb71ae23cb7ac4e95d9ccf369b3022785432ce3e02a2a7b13d823467d6705b083bb869e86e7b2addac8bbfc7038179c00a25c3ce3cad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
284c300986aee992ae4131a83f0e562e

SHA1
fe39ffc96443314630e19d51fa6f55f2062e9592

SHA256
171b39047e7977624360866aea066d1115d6d9fc22c8c78633f8094deaabcca5

SHA512
ca4081ed96745b4f9403a3e8e9ee965efcf1b468f21321159e839cd888fe9f3eadd35c08c35fbc63101d25597741e49ec86d4a3b7d29f10b42d5cfb17fbdd12c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
e3299bf8a3e0ce0657e5bab5965a5aba

SHA1
377c957ead217055d26a03858e42bc37d1dbaca1

SHA256
6837d851cb7628d23aa70418db33142983a541c474ed0d194bb704e44414ec77

SHA512
09b0284c2c14d8c28212b027be330e492b819a708e728d428796966d7e366b3f5bf8caee5384c5ef1f7d1ec4436fdd9070bdd2bd4406674c5e98defce6e23965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
078cea401485140ac224f7b9b07d6dca

SHA1
9194e1ff1bcc037924e8ea159de0e4bf8e7c9fcc

SHA256
1745edec69937760ef05e5b562d3252476c9822ae98e0f8f5eeeefb028721209

SHA512
555f114d6b57c7721912ece3cb5f2d06b74af02e99f86da228b2c54f50d6089a82760f1ffb8f6e73916cc14a4d8bdc36b7ffb236931eb09b4585a3cd3152838b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
3KB

MD5
064762900f00cd886185355bb5a2ec1b

SHA1
efa80c431ed27f14f0110710d67b5ea9881c997f

SHA256
69778fe8799964d02b41ac3238269db8c4c1a3e802659ca310ef5c9b31abc869

SHA512
62989c1b638fe6ed3fd370c0e1f22d93df4522ef1b8b62ef403d3658298af486ce0f1b34734245edb72b6b7911ee415769111d4f6793ef25c8a893b15f3836d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3b88a2f8d6f1a7e71b56d2198eebc50c

SHA1
c64ab7c850d7fc197955a65a03f9b0d75ec39fbb

SHA256
74938a34229b0201b498777d74663eb668e9cc625ce70448b51d3181d12aad4d

SHA512
3936579a10ff3fa472ad17afea5f6ef4ff132c17446215a6a7c8a3b34680f8d7649f2750fb501f2385d6b94cc74e1daed7d3c1ed22de6949246086c5e06938e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
40af7c6727078fd2bf04112744df8f92

SHA1
479ac97799a3bb7c38c50fec7355c54d4c08ce1d

SHA256
1c182117383fd201b65d9f98219234bb9b09eabfff2d3c71c0fa7c7efe6a4cd9

SHA512
f873893c28552c482985d54b20ee54eca35ca968608176d3e013eb7405061994c25a4953834af5e1df32a082679dd98807590db8a2cf891d30470957b458d93c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58296c.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
5db335fa6ab2f714d5c45dcd0dab4a7d

SHA1
385ff7e90a220d2c665075ea6289d6835ccdef00

SHA256
3960d4e6147b7f1452a7eed01e0b5f30c3e6e168463502acb783a8408ce5710e

SHA512
4258dc2e40158d4ff3803910d257e0ae307aaf8b1913701010b7480be5b1c4aff66d751a670486685fddad53a6c2fb8f987589a11b7196020afc4ccac3ad59e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
0bb504548e0d36322af3e04c69c673de

SHA1
2b27853de7c0da8475811ac65eb48e47af085bf4

SHA256
629ce73a50acdd6a216d9491d5414f7e6df194079b73ed2f9c2998c14cf2d414

SHA512
128980501b95e45a890fd02b0e814dc55f83a1777a09142c7dcb6fd5c7b339cfa98abb43bb4e894ecf3840683028d3716a4ca1223aa6139d945c1b230cd3c704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
69100b157b5aff0df5355fa14af07bb5

SHA1
c1d6ba8c0b0cb238b06226657fb31797cd3a80e8

SHA256
fb2e8839364c26e360b415fa3fe9b72afaec81bed9074a224ee6ce549f95006f

SHA512
62f0ae8c7f3807ffe5995c0bf0f9f17db90fc5dfbe972fe86da7f306394143317e325ba1506973dfef6181f2df122522d06e581faa6dd4ed1b1ac75b0cfdb997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
33da64575436fde36f34b541cb4eb2e0

SHA1
9fb59ff75e25d80f393c151e38fc23b2ef01b737

SHA256
cfc1e78b09563314793594006db61b67e0da2720ad91b543643e02fa3d267243

SHA512
2ed76da1af212462aaeffb608e257d7e797f1e64851df3e1a718973a99a78c209901b5187d822c630f6c84302a21ea1a0c94b506d3ea19c9bcb604578cef8080

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
006fdad3e4bdda11894d582aa865da98

SHA1
de7976ca1bf41ddd84a6d573b5416154dc0ede09

SHA256
6f8537a508fe9c725db36285f01e738c8ca1ecc9f72cf0a6597f43137cc167c9

SHA512
b7c07d11809dd5c206f1fbfa3c0d3c2bd1ed246c4611c0ea5d499eb79bcd8293bb99fc9b1bc7e0e1644a97c188d567e97d0a98af9d5ebacb9d4e220bbee17b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4412_2075532844\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4412_2075532844\c27c3d31-1e9d-451c-a06f-4e5850593f62.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\9d1f5768b3e2edcd.bin

Filesize
12KB

MD5
a7518f9d3d7a5be38e475c8750f45283

SHA1
19b7160f78fcb17094feeae7b387f719abdf3185

SHA256
dc9652e3f0123280720a2b6db8d0dddd27a8029501a25195be3804e6cb03bd00

SHA512
5d900eded0e3110728ca108344f9ae6e3385355d5e2d54f2b110f2bbe4c009d71a2b9240b14f8f7afd348bd401d74b41f6034f576b0c73e9d580fcae7efcc053

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d16da944626daad2468692e88680b63b

SHA1
4277e236526c1fa46cb491cae1783dc43d321dd5

SHA256
7fbf23e35e2c86c325c697d2e92ef5d95c321a28c3de84d3304267867f4b1d01

SHA512
2cf2b897b4cda344b7ce669b9e59a36092a7e2980ccca4270c676e1e05c3c1b3507bcf256252e189b2b1ecfbb446a14b5ceae42eda0d3c3372a28c164642ca9e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4baf2682ba70f5563b2189f9897eed02

SHA1
ab5e65f9a0d8d049d8b631de5e4516c48dc81259

SHA256
0134718188d2c5cdb1b5adbc56277c334944599eb4bc316b754f6ebfbcd1e34c

SHA512
2a8168e96e4b397aa4cdb456b1b31765242147c601c4d9682ab8409c7d8f07d4225092124bc11a5861ccd7b6fee5b08104a951186d1ddcd9a029dc14eff92444

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f559fc25068d918092bccac0a11d895b

SHA1
25f6fac4e488f7341b168f9153aea55aa1fab9fc

SHA256
7585fd565e163df308e16f13f8603e13fa3cad6e3dc85e380a18b8313606fa31

SHA512
81e012dd2f10470d928499ce71211fdaa968842b7d3cfc8686eafd4350c63383917b0d80b8bad27205d1f5f6b8285eba15f49dbcac897a327c956388cf11bf68

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ad42abb6e86812465b5c4b2c3e0c7d73

SHA1
ca5caef1922ba18cf2bbbd008571bb133f0b4f80

SHA256
fa4a4485a19c078f927398330bf53b2695eae6865adf326a685e049333e67758

SHA512
46b658a3095864fc1939b4c37c07f3386b8c41054c9e7d36040d9832a36f0ca1b35529f7ed764bc6ed366e6b890c9b25414097c9d28ccb15036d8f9b70e326a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b491857b553cbba920db8e59e1bf2f86

SHA1
c632662a3643571e61f15ba730580261348e9858

SHA256
fa15af5afcd14fb97f8594603610627dbfdbf6b92b67d98974846d304f43f5a4

SHA512
be81fbc327df8cf7e55b29c0b360aa76dfcfff7446e84227fdc7540fbb39d676687f4e360aa9867cddc7517d209b064e45d87ecade6c4dfead7f1925da2d5c42

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
be9b60e0b6c9380daa08484651644372

SHA1
b46a82fffc30f8ae920adf69eabd376da63ba457

SHA256
6ba71867a2fe70c076482ec15d06b71c3bb42ec56d6253b519233aa436d3d8ea

SHA512
3ceaf8973b0453819b77de36d1c64782cf538c408cdbaaa568d4cdc73806a3f032b1f94fa43a9d5e3027ba7e357be3fffd9f5d252fa27311b6ac4099187b4b15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2c4fac7cb19a3ddedcd276f9b2475ea6

SHA1
14b9c5a99c1d530342ea7850902465fe2121fbe0

SHA256
00469af6ff7f1b8a4c14785960d2279968cec67a8d5345aebb08aa728b8b81d6

SHA512
fafcc6f9d3bdda0926c9457b7c6c511058a6e828f6bf1c70d0fd490893df836089a539366bba9b3c84768535021e68fc47fe23876e6d64186a5e95804f789a5c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c33f50cc69476292999f9cef88fef63f

SHA1
43adddb0a544178e41ceabf16fc05eba8225fed0

SHA256
57e5ede37a2aef31cbcf093ba93255dde6e51231c9c02a6fd01f66a3d24f9ae7

SHA512
97a1808555663872a7bd2d0db1ce94313573bdd55c53a81cd908fe642a5cbdd4acccf549e0d19a17f9ab5edae17d64bb2818b4835817d6c9df8c913a9449e877

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6d6095bc3d872e384fc1633fb193a5e7

SHA1
c4fc0379b96eecb4073a43c87366334f40768383

SHA256
538b168d83752a5dbea034ba51af6a48336c9a8ef3a1ce3d0c5a97fce616ccad

SHA512
9bc6bd1700e9794d3b8e1ec938ed9ed6e7d727334a6b85b204fae02b2733b27bfa30160f9b50fdecca56e57d086671451bbfc79185d3cd1a86ccc74ddf570140

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d1fad7ed0ae2bdf65dd452524c012d02

SHA1
f931fe200c4c3683616f3b304cd1d586165d54c2

SHA256
27164f475dcc2d0d93f18fac3f8386ce17d873d110046dec4e7a08f5c4cf4cc1

SHA512
655f1e3db27eeb1f1e16a0cc877c80cffbc0247d71b72971a203d44b9232949395916b608ebae2bdfb00a7353d3fdd1e45ffd4cc338dd37fc3294d2795f802f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9c52b7ca4a095f2b9901c0f2e428445a

SHA1
ee4f62489581f1784f10c5b248fe41d41c4e25d3

SHA256
1f439dfbd1e578eb830f68c60809585a283d85495306ddc8abc8144154eb8549

SHA512
b0f4bfba943fbc6f56a56d1e2127f59a201071051ddc7fae8ce67f83f9e6b6454f7eceab7172b8e321d9a9878f57091e45c5319bf9f29bb6f399dd247daca263

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
22be36dafe245ca131b047538c21ae0f

SHA1
cd101926971732093c1b4fe1cba5445b54651191

SHA256
ebf811ad19e653f5643a3add7d4acd24bc35692b1715bfbdcab8548c05f63c5b

SHA512
5f27bf8d5257b4bdbeda7d604e40288c145bb2704251fd3b18cca83c01b1522d93efd80bc587b7ab0ba4947690b5d4ab2f73000147a6e9df37631cf328cd364b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
85b0ead793e2fb029c0dd44595fb4d3c

SHA1
d03dbd18b5024985e60fcd7ba5f9c54308f6aa7f

SHA256
b3424b4b0e4eb6f20f2e038a1aa05f1d7c40687cd12714e3e8f060c6660d231b

SHA512
2aede5c81264e4b1a66f0185bae74aad854549eefc3f867b13d5af2ebd6813f3f068768475317d9ed600379299816575405f613539b03cb93f54f06364665b79

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
924d286f79d406f6b6e39cfc11e3a728

SHA1
13061434565f47165c7feb7a17a1c2bd4ca19b0c

SHA256
905069c21f0365c2487bf0219998b25bfee4509c54aa3e3acb07f1774fa47267

SHA512
82533376df41de035f7bc2199d4e824cebf76aa5965b66d37e6a19be59b22731182b17447337d38a0e0492f6a41f2c9ac9b192bb30d6e1b37e9005cf22911bf9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
69baf5c221a15404fe937d041217bfaa

SHA1
280dc14b69daa9a498835e375ca42b3f03656d0a

SHA256
bac7a8610557b2e5d3c52d999190dc42366116e2fd76d94c6445c4fdfaf5638c

SHA512
bd3404af1a06c075fe7a3f0a9f585b24181f5d4f653b9b4c856bbeecbae898d23c8183869da6a0574357f34f65ad0d4cd9aa4291116f7468fa9cb073e9c74296

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c80f31d733884885949836474f05285

SHA1
52a0996d59435793ec9d92d6581e47c90bef7dbe

SHA256
32e7c78cdb98500ca3f7e71c7748576dcf550202de713054bcd9bc98c8a61bf3

SHA512
bd1c6c8cb48a735eabe21c483b733d965dc81e9a617ce30397d6b580c14e83f546220483f94aacfba0c3168e7f4ac5cbfc02fcc798d749195e859491d03fe80b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3881ca1d3bdfea9bbc0b7dd936824658

SHA1
900750992b2b78889d71db56f76eb2de0b3dbec9

SHA256
bf60ea1ee19ff26e369cd20a23ddc1a769db1aa0ecf59e41b577a8d13b4a6d61

SHA512
c8f6fe0e4996567f68546c4efa66c7ce47334b6a7dcc2e4c22a74d08e44898b4fb1648b84769e2a561bd3a3391d2db5f49af7628d6d78553895017fa9dcbe437

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d50a4cdadffdbde32fdd4d2d5cc45c65

SHA1
b14676e2649ae531162c1df10539eca108eb31fb

SHA256
d7d81c11140905a3a48604bde045b87d2510fe8f574064368ad570935f83e705

SHA512
244e6869911740d962805a380b0851af8648243521213b171a675a95c6c8cbcc08292605e996ce8a7f00a649af4e581b0c8b933f46aa3fcb3e5a16ce316fa36c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
060642517dec64d0974b6bee9a53424f

SHA1
86e8881eaac34c142b5001bb9bfe3585d88c9ce2

SHA256
92c76ddffdc7afaa59bd5222ca961aac3b2b5da5b81874b1844c06c1af85edca

SHA512
595c3915725344c6497070cc11d8a717c61ab49c1fbecf0654b5cc37b8f062b352ce61ac194a31f5f59c866a7552983bd10a3297caa46678511430863e6ab4e8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
58a4dd5edb025dd48043ff41ae6b35fc

SHA1
ddb51eb27f39b1964a24db0644b0a1849b7dc3cd

SHA256
6beb457b49b9eb33d6a422664a334570fb4a139aa47abdc6b3ae9cf06313f586

SHA512
7912b182d915944008fdeee0c3bef73688e09e3135cfad1f5eacac5c61ee36ead1ec90c5aab815cc3278d0d9d20a534d9299096326e867eb9613775c8f972f8f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0f71454f9b55ccd88c289bd88f2664ae

SHA1
84b58543f16521eba331d3263735a16eb7905250

SHA256
9f5ee42fff8b6bbfc1ff91d4a08de81f0378934465ed881be9e7b5a8ebfc5fb6

SHA512
d7970b89135a43b7d9f9f03b76ff331a708b2142f7f39cbfcb7cafa65830eefb8ecc6c1ae5184e959716c1a2dd171528ce23f35164206d687e2c98239c75c7d8

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
96b4e05fe45f026de467809394eb309e

SHA1
078b88f66c23ea615f2693420017476497682912

SHA256
c7aca25297a24836645b7cf1d210a56ff2c2482e390c8be022e7835028d8c55e

SHA512
dcbd113c52072f5c481485f467ab90e66bc81d4ebafec6b09c2e8d329c73f4562108ace32d72fed54b6bb76b1226b098a56e0546222c4278c1e34e080330f2dc

Download Submit
memory/1100-53-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1100-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1100-99-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1100-59-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1100-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1156-205-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1156-108-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1464-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1464-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1464-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1464-185-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1860-255-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1860-896-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1876-137-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1876-238-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1876-127-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2284-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2284-140-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2284-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2284-43-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2356-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2356-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3648-219-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3648-121-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3648-113-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3648-119-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3896-32-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3896-139-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4168-98-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4168-104-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4168-106-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4168-96-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4168-90-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4464-244-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4464-141-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4836-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4836-6-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4836-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4836-21-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4836-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4996-135-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4996-17-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4996-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4996-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5160-877-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5160-252-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5196-251-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5196-155-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5248-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5248-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5248-254-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5320-472-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5320-170-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5376-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5376-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5496-686-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5496-186-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5588-197-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5588-719-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5708-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5708-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5764-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5764-755-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5952-873-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5952-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6104-876-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6104-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download