b4b993bfab6512e01a10ddef98143d6274ea02cc258464c67747a78f454a7f03

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
Size

5.5MB
MD5

f32b64259e00eadf5e3a6c6360c72616
SHA1

37f940d63d8a96ee9aa4e9e1136e1261d375deb8
SHA256

b4b993bfab6512e01a10ddef98143d6274ea02cc258464c67747a78f454a7f03
SHA512

3790539180f2657f156bee4302551a7509222d14e8f06cbd64a591793c71d9588952c9f8eea4b54cf8afb6511f598e9c71641ee46083ba1950bb0aa4c9e67bee
SSDEEP

49152:ZEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:NAI5pAdVJn9tbnR1VgBVmJqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
5644	alg.exe
228	fxssvc.exe
5232	elevation_service.exe
2480	elevation_service.exe
2280	maintenanceservice.exe
1592	msdtc.exe
4828	OSE.EXE
1784	PerceptionSimulationService.exe
4268	perfhost.exe
760	locator.exe
5704	SensorDataService.exe
5572	snmptrap.exe
1436	spectrum.exe
3840	ssh-agent.exe
5276	TieringEngineService.exe
316	AgentService.exe
4244	vds.exe
4116	vssvc.exe
1016	wbengine.exe
1364	WmiApSrv.exe
3900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8e0e45804d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaw.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae713b42ec4dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001478a041ec4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a9dc641ec4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021d9e041ec4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da61cb41ec4dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cfd0642ec4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504816010584742"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d3ca541ec4dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da61cb41ec4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006000c941ec4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a04a1542ec4dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3711c42ec4dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3056	chrome.exe
3056	chrome.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
4032	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
5788	chrome.exe
5788	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3076	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
Token: SeAuditPrivilege	228	fxssvc.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeRestorePrivilege	5276	TieringEngineService.exe
Token: SeManageVolumePrivilege	5276	TieringEngineService.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	316	AgentService.exe
Token: SeBackupPrivilege	4116	vssvc.exe
Token: SeRestorePrivilege	4116	vssvc.exe
Token: SeAuditPrivilege	4116	vssvc.exe
Token: SeBackupPrivilege	1016	wbengine.exe
Token: SeRestorePrivilege	1016	wbengine.exe
Token: SeSecurityPrivilege	1016	wbengine.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: 33	3900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4032	3076	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe	85
PID 3076 wrote to memory of 4032	3076	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe	85
PID 3076 wrote to memory of 3056	3076	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe	87
PID 3076 wrote to memory of 3056	3076	2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe	87
PID 3056 wrote to memory of 5376	3056	chrome.exe	88
PID 3056 wrote to memory of 5376	3056	chrome.exe	88
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 1880	3056	chrome.exe	101
PID 3056 wrote to memory of 6044	3056	chrome.exe	100
PID 3056 wrote to memory of 6044	3056	chrome.exe	100
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98
PID 3056 wrote to memory of 5772	3056	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-23_f32b64259e00eadf5e3a6c6360c72616_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x294,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa1e199758,0x7ffa1e199768,0x7ffa1e199778
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:1
    3⤵
    PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:1
    3⤵
    PID:6088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:1248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:5772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:6044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:2
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:3332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4544
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc2d7688,0x7ff6fc2d7698,0x7ff6fc2d76a8
      4⤵
      PID:3896
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5844
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6fc2d7688,0x7ff6fc2d7698,0x7ff6fc2d76a8
        5⤵
        
        PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:8
    3⤵
    PID:4128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1044 --field-trial-handle=1904,i,4462730971375759837,11577359325920142423,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5232

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5704

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5572

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
175KB

MD5
be45b50b7ea423cd55926307b5ff4246

SHA1
fcc449cf934016dfe9ce0b9b49cab5cd0ead5cb6

SHA256
d876e27edb2bba1d2b881bcc9816021451bc392cec0a2bc22904bcd5c0ab137b

SHA512
c41e28b6b033971e3d979fbdef0c12a367af557f78f0670b0970a4a0a67268dae4e3a692bb40682d0488c9dbf2149e9d3bf28e3d937ab1e7ac7787ca16ae1f50

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
395KB

MD5
bf4564a5b5055c535dab6fdd220b5923

SHA1
e0f40eb7435c3c4e32811ec2b891adb12a34ceb6

SHA256
e08804e1df657d64be2a49e35adb26be1b0325ba7a5a9c3a8cf3ab6ff093a0fa

SHA512
0d868b9527cdaf53352308c6ccc5da59358a3d63d360cc103adbc4529d6e76f80f684e1b20e659a9f19651811697e63e35514c76c303edbaee8869d0450a2c4a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
278KB

MD5
ae8ac56af6b1556ccc3a33537c0dd26e

SHA1
95964db5d3ea462368c469adb7742cb918a2dcf2

SHA256
7fc52cbaab3c2a89202afc0234d111f5479c36615051eec86f730268e440d35a

SHA512
8bfb55d8d0aaf3c4ca810d90b8418b24061bfc6771b63aef96a7c3d741c7f533bb1f6acda95cc1bf6a1f50351b734273d714acfda0f2a7df2e0d06443d6e10ba

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
300KB

MD5
651e770d94a54123980f8d0910bf92f2

SHA1
2343ef58d40e42e2086471593db3ea72384c082a

SHA256
ef96a6885cf9957e75276dd42f2ccb2b31d588df5770ed0a73fe89c2aeee625d

SHA512
c1a95088fc40569a90ec20478be7c2e1eaa82904710b8d5c5e4835c167c85975ee395882cc036aeff03a0dc66d1538e51ae1a13d427961c723c227b0be6ab071

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
334KB

MD5
0636143a54e549f23a44d7e5e9fa3bd8

SHA1
a53f41fd4cf27f338910e79af0adcb33bc921207

SHA256
bfd75f7a9c0697d6cd350f9c7f0f8710bbc760828c2da25d8bafef9046a3d712

SHA512
aebfd06437b36468c8e68d8194e30e10311c29046bcc13808fbe81fc500fe333e801bed9ed9b5d97d6d15d306a16f16a2d7101c9cfd1ba6dcd2a3f7ac92b7853

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
394KB

MD5
bd811512969e0354cec46aadeba1639c

SHA1
2e5b0e0eb2cd2f6bebc802e0677fc1d86a779c6d

SHA256
e17bc1e272a627d6c37fa72e510bf27b55628b98a6b15f2d7abcc3a434d9d556

SHA512
8ea9fd5de80f4c3f8f0ab49ef02c3d9259b311b9cab22deb43cb6e39781ee726b774152707bb2efece6e444edaf229de4cd39cfab4f2e6ca23323a4585d9bda6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
347KB

MD5
0c1e7c69987472f1d32d9abe86691c5a

SHA1
5a0f6f6eee9696abbd898b2f0971fd08b716cda9

SHA256
cda47867e23cebdee0461290e6a71b2db1d4142039aa2d645796b44e22d4e862

SHA512
71bc69b740902cdd6e0efa86e9df2950598c6615d61076900e95c4b24e418b89d1a0c42c8da2247d54b98e2bb7a0016b8899221fc17a9fa40abce17cdd207f0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
595KB

MD5
6ecc67513cc0ebc6b4eff9148ac5318d

SHA1
beb67a052100b080eab3c878880648465b664c98

SHA256
11f869677d87c3c4c633f841864e1948c6879b7e06fc881fa32f1a5775482b2e

SHA512
a6c1a8e7cbd74124cedf0c79591a67a80fe03bd4d2002fd2e15992ab9fdbd291eeaae2c97428b20faa747488ff361d90f7a059a526628dee2cc5bcd7b084f57b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
312KB

MD5
95590395c99168c950a798e9cf12b335

SHA1
f22115a8211d7cbf3b431767126bc07a86f1accf

SHA256
5b49b79a555ee1c5ea3bd138a4ea8ace0ac96c16a5bab94357686868747d22d2

SHA512
79d42c9a348748a219870f2c43aec48b0dc8e80004c5f8f6a4a851fa4ff84a48e5047e4b37198204b6dfa626e4e8f7c0459650d8b3964848975399a74e34a7b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
79KB

MD5
96a2660fee070285bc32ec66d8d19165

SHA1
d9a9e4ee552b3975850e3663e4d306d22eb2d090

SHA256
cb170e375276b78bad61a02ecbe262fbc76205894ffb1dbf89b0edabf017edb2

SHA512
547266ba8d61712d202a20424f2f0eb66252b8bd5acd2ed7773730fa955de7270cf70dc37ac43496c8d241d2389422467d85f66f94d6eff8409a01e812b2d700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
178KB

MD5
9d39f0f807d6bbc993deaf276a69d252

SHA1
dd4ac7519c323bbd8ef6614631a3fb11edf4b210

SHA256
807e30a8c15320824f1ccb5f3658bb264a9cda63dc14bd50ffdddc49fb4857e7

SHA512
f0500a1402450c548a4025af50bafe61685b8379f17a5a1e6e88134887fdfb08fe39aa0b5668c8aa55010cacb8ba40864aab1ff184b03a92d4849d02b9f85126

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
124KB

MD5
4835e4c193f8f460e55363c959253576

SHA1
3aa4e82199f6f7ec5fceac9d6b79eeeb4d350ade

SHA256
182c0699b3b06217a5b1357833b8934b481fbc5446844d1a23bf8f8916ed7ca0

SHA512
e1e69a727f45c798fbf6c6c042c21fe14ff9c9355cb2dffb17282f637548aae5bcb48c2bcb5632ccdb2965aea6e34bce9c1e301bd286feac0ffa5b7057f9efa1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
216KB

MD5
f4736fdc11d5ba4ee32361c0d1085513

SHA1
9fa47bf8a7ab1498b20834a232dd8a67afc3e21f

SHA256
90a5ae8964413c6e781b156c44da6b3d5db8cf18f04a4a4c1c2d27ef59330283

SHA512
18a7081bdd82bab1e960c1b5fde5098d36eab449324a375c43d5d70096e6a4d06a64ed34c78ef75cceaa4bd55ed1a9fb417e1f43a11df75c2c817e75648b9ee8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
223KB

MD5
853089c6e162377efa422d77e75866cb

SHA1
26f351f7538068504ac7c170ff414b3ce3d44828

SHA256
b558ca2c46c714e31eb66882a47395c6e1e6350d6845541866d2ddc26d56bcce

SHA512
f21c20a33cc7865d4a2059fb3831b48b5edb2a2da2df027104eafbba26be378ad08792c73da0fd59056bb266cec8c4daf2e14cc269fd67e337e0115d1cc8ac4a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
277KB

MD5
0dbe513fe2accfb8290ba885a4a259e7

SHA1
65a0a79d0b19227575755cd343002feafee258c0

SHA256
5d451e7ae0ae429c7bd6e5bf0b797f0c774dc5ef374a298813817bdf61e3f4e9

SHA512
fbaca457288f9dfea7c55183a907a1576a26ecc4f9a2b99882c91f33eced2560525648bdd77d357b3bea21d09b5f4b13bb6dadfd1c378bec57e341dbf0e94784

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
438KB

MD5
48a5080b20d173b63c5211804d2fa3d5

SHA1
847a516cd100cfbc94827cd07fa6cea984c05098

SHA256
d3cf21a9617dbb9c4d822ff04911eb63812f1c30267479e6444d2b06601ebc09

SHA512
3dcdb423ea8a3f9982f8ef71b28fcc155e5695055155bcc6895783ef81a0c78d9e03bf8b4f8615a6859e548124f9a378eb0f2655a8b33de3c44322ff9f558f5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
464KB

MD5
037c64e1b9a66b515150d7b0f2cea6ad

SHA1
bfef544ff719775297dc2b77456e5aa4b04e1357

SHA256
1b7fb0617dccc5b9df8acdb485b05184ae056fd9de8c08e4a6592bd46f08b7f0

SHA512
b06f4ea56111f86748cb37d673101e340c531c77f1ed1b69b5601f8bfbada9a6006d784702bf204652d1ce172f24c1041a8e3b0609af658516cd3968b3d09b72

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
248KB

MD5
432b416675858a4d1ca15389b0fd8c71

SHA1
5ffde3fa9d028ec0fd715144c9a2825e9b3c78d2

SHA256
3aac563dfa4e9882410e2780e46cf6efd4c8c5792739ebb20ee12f18e5fad3cc

SHA512
32a3c1b6e2d8f7e2255f86d2249521fecafd9022be6ba6b9b3725f88295274488cafc47f509ac0f596c127fd3a6df41bde771fb7209c4bc102402f167a5aa82e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
408KB

MD5
3ae272d6e465230db8c22bb24f053e94

SHA1
78d9cc9bc68090c80145cfba2d5dd6b0185c158a

SHA256
b1bad90a6b3fb84f360808a417527e8973e82d2fef891c462db01f77ab0d99a8

SHA512
afc2b064a8e78c71ed9feb9a4dc1bca39dbcec6f10fa855326e412455b88d77e4fcb28900d664cf38b20d1adfa0a91afbe1d6f2244cd4414ad491576ab6afcde

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e198e888-285c-47e8-8399-140a27b44cfc.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
306KB

MD5
e9ae6a539ab710df065690ec7aa2e3ce

SHA1
422625032cdf842886056819f7437c5428c01477

SHA256
fc701630b523ae7ed767702c75877982d36f8c1c74384d5d1c433a8bdd2a8203

SHA512
06ecb3c0c83a58f3074c4094081fc37fabbd1a9dfe8e2eb1eba98d0cbc94c525b600b9e875de33c0c2fbb0ddaf44eb4862fc47ab33e5d88c0d275a49295a8a2b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
162KB

MD5
041ccd9f352c26695536831e9d984da1

SHA1
a330f466645df9e30a791cdfa0e2489ba82e344d

SHA256
162268fb1f63e3bf48a5bdf1379d731015a7adfb47859a3b02a7264636d11b56

SHA512
c3f4b83e91e99473fd2a0131219ddb0103c410625b6cfbe38d90e75ce05f867f042dc9e00fa1b20cc76a8082d279a7c431ff81d2f68c5dd817ca23c9f2ebf6b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bb2cdf82802bf69b297c9fae3fa48e85

SHA1
f26dbf7984929197238377b2b3e37f974447448d

SHA256
29998264d3f24068d6705e32cb6306f042797a0025aaebda57b3c581a49be0c7

SHA512
00535865805747cb5fe10f4f67872b52e94fd0ce51937f94a7662254027919b13df4af538557116cd4a8002afbeb295c601a79d5e64c8d2d2de9cf377eba1db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a8415a44801f54d6de7782fcbb1c8721

SHA1
7a0e7d09fd28b4a7f63f8a043ace74dbb4348f6a

SHA256
def156ca72fc13c694be9d9246793a4271f6b9a7f0da83290e94cc22cd46d701

SHA512
10661ca5e413492e6ee8546e9b49b90b793e7cdf54047c608fd8d1c839e3b99c471d1e18b18af82ff655ff0a99df601b1bb53b26fe531b7c77a7246b92288f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
2d0311389b579379d31890baf9360820

SHA1
259afab9ff2321dbc7dab89a4a83bc748b6e386e

SHA256
e33b90b510e5318ab2fbbfe7ba76b5231d4cc5644481fe392afbc7c0da05fe35

SHA512
5857921fa91b011776646cece7cc0e13e50c41e37cc07c5c2c3561467aa463cff643bc48974c29d6d1912903e8af0ae99447806667a08963156867fbc38a3208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2224c7f78b7a650d59cdc94d8c67969e

SHA1
aa486d1bdce4f0eb5e9d0adb1513d2fc33ac6dbc

SHA256
e08abee20ccb66b079840f459e7d2b99e209f97d4141263e301b2f8c0db41897

SHA512
5fc74d5da9d54e24c4079fd5d953f9a36bb4f055955af35409e4bb817f2e84bfd729814f60a085cb7dd52357911a041e34baf21b50e506351167f5b72a6090bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fb4299f856463bf0ceb948ffad402880

SHA1
8ca4f7a9ce09dfd6ecfe8e9839db2e7453d2a55d

SHA256
223b938829fe328878a5aaac46964d7c470886441330b8337a64b11fff667bd4

SHA512
8803562ed79d5a00abf0eb3ffbf610465eeff3ad7f31b3f9afa804fe1971aea9cd97405750e695e446a037cab0b32bd895e58b555c7471b6c32fdbd886be4d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c35d2257059fb6621f93031a6046fd19

SHA1
82fb79826ae5896b7a0040d8485c556faa15f9ff

SHA256
0ec0f7040097f1c41d5bb175d45729f9a99b38a8c22356772d3eb2c66fa29fd6

SHA512
628d249a509a7a0aaf584c390035764f9e21ff597f7dd764d0a1ba5a321fc5ee55ebccf36fe10e0c97d811ce69c6dc44d2a00e17fb7270db80baa92820fa2d54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57827e.TMP

Filesize
2KB

MD5
290e9802629398a9ba56cfb50ca5f135

SHA1
3baf9a4863eb4a435da55f93e82a8ebe7a9f0106

SHA256
bd3b2b7f2fb53d7f94ee52219c2d5bce2b8fc511ca64df36236ca30e77e74f2d

SHA512
4eb9a305aeea0b1bf7659dd87c24d251cd182b456b18b776f3f6686fec05586cc648614b8d9090685b7d023d61dfba1cd733d357e1b3962e6be9789b879f7772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aedc9015a4590e083dde35041e2e2cdf

SHA1
0626af2a6ec9101f129b933bd5b2c6853411d93e

SHA256
6f2c2aae9cab98deaba1a53346acf2be8457dc8411cc80336e527a1db26ecd58

SHA512
6f757a2ba5aa5cfcb55878f5243293acc0e6ab3089c3d2cb17957903a4c823ffe1066007345ae6e61794e7b2209fce7b6bd17e047163e55b4f1749dbc305bed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
522a51f57ea4c43835ddaacc3f91109f

SHA1
3ad3115ef73f8234ea609193e43de2ba2ed6efd0

SHA256
cd025bc00a65069d37314d79e2a9d6af0d8f96f230ee79695cf7b0d8007216a8

SHA512
02aa7a55f45b134bfa9762f055db06397e112c879e2fb3b86d2085842728b0ff2f3fe70b92bd4f54c0aa340479511e32b7fc9644232c5d34e9252cf135230dc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
21da1c1dc1643c24f72fc3a0f7dea0f9

SHA1
50c05c13b668ca8d42006cd161d3c6e50990eb67

SHA256
ae84eec814cd953f4b4a9b6e9bf4985998ec32f54397c2b9913768961ccb9b93

SHA512
5b5fd9b838e602d3af9163df34fad8ff2b8c7ff139bf500bcd28209dabe6f269d5bad1f47ec7e024f57764525712aea26ef62a4e04e39da16d9325444fb80d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f4d58029d17596c877dc31a01156bde8

SHA1
77be17e99fa1b4cacce5aba56114a235fc84d2e6

SHA256
ec7ac37e51895f0665451bdc8acea0d2520dd00e6bec2ed0031b5a819613cc87

SHA512
d87d9bbbab2fdfd2296502cf30a77250b37e93b4811cd061d21b0e0d759e0e178b4bc14b89017e7bf2afec412e4b8642fb9977540abf19459bb418e90991beb2

Download Submit
C:\Users\Admin\AppData\Roaming\8e0e45804d74bb6b.bin

Filesize
12KB

MD5
4d9f027c33fb430161c01c3eb8632d47

SHA1
b471492ae4ea4c13fd21f802fa7bb1425a6a31c5

SHA256
080384b6f1a4d5d08894ca910b3032568e766a7e283ac7c210922298d2eb573a

SHA512
3b341b43d75a6643082e0d94ead4bfad3d3ae543fb3bb66264b3ab7df6d4b1718e81d56b419dc74756d10eb0abe2a917ad0fedb7eb57454146180ca8fde97695

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
155KB

MD5
0494ebdb1cca4eb0dd883b79509da3a8

SHA1
a238ffef63e6012a8be35834d663f60605cb6b4d

SHA256
de08b817a36222832de3ca9db74cb3d005bca3215faaf4293f36c71b79b2c07d

SHA512
ace9de8c6cb23516aea00b50e571df38e36fe10b1e35d2a6d0f0982915d48a060684200f6af20f95ff76719a39154380917bcad9ec6acc8632759520aa1e777f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
372KB

MD5
2ef95ff1bc7c3d15e18122fea236f620

SHA1
97cad60ec9886679d8f46152f1266fcfeceb9931

SHA256
735603b13f66bceec481f51363ad17b265ea0ab4de1ace465735f71cdf7bdbf7

SHA512
de3281e665864fa45b07ba3fd2f00952e29051ebf40f9c533ce64a510d05e714325ba2bb997315eb01d3b68b0c11dca72f94215dc826f92ec3f5e9b15fea4048

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
565KB

MD5
34787a605ed83d56e040650b1b8f435d

SHA1
07b9c66b9ef6e0d7af027d0ee6ad0e448519ce66

SHA256
041f90a9be2399c739468b2898eafc37e3ecb9752166a2be29ec10c4af3ce4b4

SHA512
a8c2b5a2895cc2ae02bc3ab9ebace3ee7518e500158a241a8852616138db541614df9846b9c57d356065e3f32146ef8e54388224748f4b1eed46deb86b53cb1e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
94KB

MD5
d9261e78ea0ea3a77f9c1c80aaba6dc2

SHA1
6558ef38bfeebe72691073916a7ea6ca155a886b

SHA256
2e01f4900cec73b2fdaf61b412051f4c5eb8ae83052439afb1fd5ecccf4f3f3b

SHA512
b05088feacddfa9de4107312db75a923255a4ea8c333d0a11487da86e34918a4b4e31d1b22eaf77269bfe496e501d00eeb15e83cb61b0b802844ee99dc320c62

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
257KB

MD5
fe8d035e4f893d47673266c3a3a0781c

SHA1
532ae835fb6573841b4785bdf905b0b093a4855e

SHA256
98e80fe7e3f42ff7f2b1994a5ce2815c1f33a7f411700dffc52d595e6b0ece37

SHA512
de780f0fe6a535ee74b4b1f1f91be3da1d2e6dfeb20d6ff610c62f243fce256a95b0d282c5d38e3faf97c08de05dbb1b73835f24692053dc5ce904f76f27be17

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
306KB

MD5
e8fb987e0ff1da336ef27208b237efd4

SHA1
39fbe5119378bfdd7260bd64eb048edd7d140c8b

SHA256
78a439a5d1d76095cff36eae9a953bb31bdf9df6016c2623b76a8bea211c5ca7

SHA512
1a59a44f6f80eea61afe46ac627d81db0274cf94328a3ac37795581a52b79de724ee3a4c93a53de74b39669e22e546c4b2af34d7edb739059b5371d61798d1c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
179KB

MD5
ed78e25236772bc970e12ff7d5e6abde

SHA1
38f3eb44cb07d3f40662997f58761181808f6590

SHA256
b0b8a0b3e7e40506e88f37bd49c8857b200792094b602dcfefaa09fa7ece6ec0

SHA512
612d5408315f420fea75cc15e1c9f32686bafaacdb3fe309f00896d630cd4abba921473e3fe3ce3b2ddfadd1f108723a08adae6bd9332119c809ee2305400ada

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
142KB

MD5
1734b60852801ce4dedba8fc4a376a36

SHA1
3b8117082f1871293d77be9c6226bfe2103ec35f

SHA256
1dcbad5790c5f07725e2483af5d4ca27fdcce6e256493820cf913ae32963a487

SHA512
c2f351ee880ae5e5aab1498e20b94eab95a55da4deab4e2ab1c44fb2f658731cadd2259d9be09f8a54041919f9cf88503081bb5a5eb7ebb2bf2116fa4bc37de3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
113KB

MD5
edac119901c9a9e90b514ac8dff24079

SHA1
6e2217298a64a6dbcb0cc5898d10282cd7d39c5a

SHA256
20ac16e253edbd58734194f44de36b6ce5da21d5e643cb5c046299ce20b04358

SHA512
5ed1f43b61ff1f36f1e85ee366e2d75f636c917611bdcab3ca8bfe0ca57cdb0245a45e101de066a9d1fb2b71534086e3f3ac34fa645d9ab20a23817f6ec21638

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
460KB

MD5
8c8149b498989702d122fb5d1a4aab03

SHA1
fe0c1a508ba5c8f36ff7922e959f71ca7a62632d

SHA256
c88fe9265f4af786ee880a1827732f27b34a663df6634e9788ef8c63a9e492f5

SHA512
161f3632b1f576a7714f1595dec1f678c9e3d8b25efaf59f5390b8c5ebb24b1b1ce098072b0e8344956652f20f2b0e6b521bd4a24e36b236356328ff27d4ef07

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
491KB

MD5
4a989c2d2e500c75ee8eec4aa183a686

SHA1
c5d65f650268e1c7e275f2dc09462b318d2d34fd

SHA256
492d269415808c09fac418bd3ee726d9d9502ec66b683ec0da906540e8c56731

SHA512
b67e7b0c916f71d5c518e6232cb2682fca0d5886d878f51e383fa16d68585175580a035ddaaa03a9f4567dbb5145551f9bf9c2dc409ed69bb4a3829718ed7189

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
402KB

MD5
5b779d3f7ccd2de234b85745d1c8216a

SHA1
7d097f78ac4fdfa23b6cc90f86c63acc49a9fc6b

SHA256
068267316ddf05224b0d44c5c0cbba291e22a4eb1e28b7e5d28ed5d6ea72886a

SHA512
1da6db28264bf6b337bfcf1b7c288925130445a2a3ffb9323c1153e13a3ac76584b6bfca50b6080f5de9d92f0f428a509478ccfa7fb61462b036a5af47b37754

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
136KB

MD5
96764512b46281e35862052a79912bbd

SHA1
f66b3ecb6353303524c4e3af70c0b9ef55803922

SHA256
4c44cb69d02677c71e43c9c54694b3c63e07825c9a36e886271159f5655bca28

SHA512
aab4ac530aae8fdc1eeab24cb3d4ebf3a66dfec217ef971b00e51cdb10b689fc45c67b24838ee7fd77e67b7a68c2a2efe5b00395133fc0bda30cd2d7e4ad77fa

Download Submit
C:\Windows\System32\alg.exe

Filesize
106KB

MD5
e4896a86ca01aa8b4ee371a8a41934e1

SHA1
c0514a0b80de41496610a62a2bb187110adc3942

SHA256
b8b4b813c292d24ba14a767373a6625ce0dd080bccc5184b62802d4d46538344

SHA512
cbaedbc8c9a724a8480ac35750ae26d02d084063c04cd994e62e7880e13ddf7ce0a4ab38c10a585cf0c9b59b4450d3c8ff1bae2b4534d8a8b9e39dd6aba81e97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
423KB

MD5
c7e3c3185dcbca34f992cdcbf8e4be27

SHA1
a07e6ef2e6c94bfcacc1d68a1fc16604109e0394

SHA256
b406b5122319ae854164851dce1e644d7cd2fb3e4ad52b70db3c77106f13fed3

SHA512
d82dcd23dea35db6cf25646e411b597007ea11cc67e775b46728a604ab764710c32bf2ddbaa202e212996170a86500e6fab547f9f2a90fd332b62588ba8644c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
125KB

MD5
de27bf48bd339b16f0f7c473c99e6ca5

SHA1
4bc67474aeea18efe22016ba6b728dcb39889a9e

SHA256
9fa22ed369615a40fcd08bc25762c7b061ca02f0889e9a310d04ac64d8be37f8

SHA512
219d46de10acb5fb1c0aa21ea0026d4853aee073cf83f03bd0b565e9de40b42aab4668dffdf184955b86c31d5233288f2fdc9f10d57a2d02d78bad9f1fc61429

Download Submit
C:\Windows\System32\vds.exe

Filesize
109KB

MD5
06ce6db3158199292b902cf08f0a3188

SHA1
04c360713cdba150980f90b46f243242e2681aed

SHA256
ca5c2ca30d778ca284abcca2d5c570cfc36981c9fd38551baaad1a44525be98c

SHA512
256871e7410013f73099a577d5398fb4a9424f873fa28611c9f33b99a6d4edb4fb6e289fba2bc67fc15191b0e2cff1db54b0a42edcf3d143bbb333fca59e75c1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
11KB

MD5
84265c39634584d85f02df8e6931433b

SHA1
1355fe0cf77b78c256f06f48dd407209e6346ea6

SHA256
68f12c4c52ccc336b0988138307f6c768d123a4eb446bb461bbc622a3b8e560e

SHA512
a6f72df2942969a8bf9b475c121e42b11325e9559928dec743b54895d667367ed88ab7c3ed16d0266c6ec15eba4c09c3cf2e38d6b1695ccd46d1df62014e398d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
256KB

MD5
3bdb14fedf3992761d54ceb2f716327d

SHA1
1e1e86afeb899eae977739eb247b8c140118adf3

SHA256
e350fd22551b3ac3ffce7a072f82f1250e32c29e322a70723de6bd37d699b162

SHA512
a58dbc1767f63609b05b65e49a0292dade5b5836d96acd3852444b94940a5b7aa6bef3537e176bdb1a337b6ba558392aacfa773abbd57312f110354349886b0d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4c673548cddb6b082f48537ce42f0278

SHA1
7077489247ee9e8640de79562dcd484db9f950e5

SHA256
2727141051205cc7df3e821fbc031eda6187e568a3507ee24d00062678d9d666

SHA512
6ccabdb781dc8ea917193221ee4a0b8b03f573eb0055470e68a5eba793e5a501a48ea3b0044780160ebd922b13159a23ea8f9c07d8956d612216291573bfdbb4

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
326KB

MD5
9ff2e7e3fe1aba52609c90550c761682

SHA1
de3fe2b44dd62efb643643ba30f7d25a28a73c58

SHA256
644f6add2a5f9c9ca568264d1c2f491fa3c99238e46f37fa60f646f124a2486d

SHA512
5e52e15abe4b68da451b9cc6ffdb8a70051128deaf8150c5564a5ee2ab036103d61175f3d16d472b29a4935519c3be341aed17599cc47b32c01ee601eac7f06f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
586KB

MD5
17caf5353381b211cd1ece3510fd0bd6

SHA1
7453c348f7fc23e6801cd3c0ab128c9151aaf3f1

SHA256
b4d0993b196c401175943175370c92f185cfb4aef0a654bc2073c64e3ca41cb6

SHA512
c07c589e72133903d02663b3eebdf0bcc0fb3c44587f83f7493fe3265cff58774f2f517538396775f00484f06dca889affff33590e1f4ca86c86ce5251ce065d

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
589KB

MD5
c9603ca529758d026ded720d6a31cdaa

SHA1
737b98b4e45f91684abcf529a7fb8ac795a4c6ea

SHA256
6f3dce94c4af94b0abbd8904cad912575b707da73896dbe916678894ce3a0e6d

SHA512
0505933071f13e6b32d5317526c37d669d77a1efa8d8285d75058e73b32bc9a22e8e37dc7e95a782acb1debf69b1ebbe709aa027a85c98bfbf05d92198c7fc03

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
256KB

MD5
b05c725a9af51d83a889f87d9a740920

SHA1
e3da39c6e65eb3fb4f76d04cbd8bb08bf4279fc7

SHA256
5bcecae519022c7f0838030db4b3b7a657bf6b20fe87143ed4bafab2c3d6c024

SHA512
8485f03e7e70cac27db6e807692848f25f9a1d065c6fbfb3bd6558a762f3ecb04fbbcdb6fa2c73c1dd2e2e18100bfba9727cb206c5d281fd343b7240b19b48fc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
dd1b7f24242b481f466abba842397fe1

SHA1
c79450bf9a4caa5c691380acc3860688b2ad8697

SHA256
b59b6679d7eb00ca61ce11b94a242a09123ce3fde0a4455677489ac681344a25

SHA512
b4b3e3f07c7d0fb7b4e2a8524d61dd4c1b3e6f716ae2da680883e30fe8d6c6cb103a43f6a7efb48859b70196d979821241afef2bd8c81c7e5bdae53f453ccd23

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
430KB

MD5
55d09f800643fbbf4db4a4eafbe84f37

SHA1
3cfe517511ce37619407af826ca6b98e03795945

SHA256
c9f60f64f136fd2082416c5195e501cc82504e457b5778b89abaa6ef1a1010e6

SHA512
abbaa2956b5811185ab15bd1aae582aa967935459a223fcbf2dc6f8c371bcde29d75ba8e43dc5f134f16f07806dafd6b37d4620da3af1274c26870e29e55726f

Download Submit
C:\odt\office2016setup.exe

Filesize
253KB

MD5
c1e287fa0538041183ad53128b33366a

SHA1
51de0c02cfdbae4ee06fb2f9154462cf92478a98

SHA256
080c0e4fd657d3c4ffbdd15af99925aaf2083fbcf6ef2d8bb47f57c5e06fa65d

SHA512
62fbbf205855c621807b9b2a0fc78032a3e7f32e8e92a7fab77a5a52763779b8eab05c7fcd274e232605485f1f023516e683f7ea2c45484cbee5382160a9b0ff

Download Submit
memory/228-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/228-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/228-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/228-60-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/228-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/316-303-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/316-304-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/316-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/316-301-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/760-192-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/760-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/760-183-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1016-334-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1016-341-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1364-348-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1364-355-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1436-232-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1436-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1436-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1592-123-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1592-195-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1592-131-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1784-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1784-164-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1784-222-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2280-99-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2280-119-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2280-117-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2280-109-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2280-104-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2480-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2480-169-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2480-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3076-0-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3076-34-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3076-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-7-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3620-576-0x000001B56ACE0000-0x000001B56ACF0000-memory.dmp

Filesize
64KB

Download
memory/3620-575-0x000001B56ACD0000-0x000001B56ACE0000-memory.dmp

Filesize
64KB

Download
memory/3840-332-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3840-237-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3840-247-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3900-368-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3900-361-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4032-25-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4032-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4032-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4032-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4116-320-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4116-330-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4244-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4244-309-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4244-316-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4268-246-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/4268-170-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4268-236-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4268-178-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/4828-149-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4828-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4828-210-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5232-116-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5232-112-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5232-63-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5232-61-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5232-70-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5276-346-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5276-270-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5276-251-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5572-212-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5572-219-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5572-307-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5644-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5644-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5644-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5644-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5704-205-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/5704-196-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5704-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download