90bb777700c818ef49e2adf4cf40c2ebecc582eea30640ed667799598357d48c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
Size

5.5MB
MD5

7d63c0474251e3079c7510e37f11fdb1
SHA1

2fc623347e7cac3923d5ceecf0ac394040eae7f3
SHA256

90bb777700c818ef49e2adf4cf40c2ebecc582eea30640ed667799598357d48c
SHA512

26ddf13fac92f3cf4b60bb4ce20e1784747585ae0ebd5efe2a4f7848e54bb906fac37f822b75f54a5a688e081b62715f15f64c94477488ad0eaf465913f19187
SSDEEP

98304:0AI5pAdVJn9tbnR1VgBVmUU7dG1yfpVBlH:0AsCh7XYFUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4104	alg.exe
2272	elevation_service.exe
2716	elevation_service.exe
1588	maintenanceservice.exe
5072	OSE.EXE
3300	chrmstp.exe
4292	chrmstp.exe
3332	chrmstp.exe
3664	chrmstp.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
1232	fxssvc.exe
2640	msdtc.exe
4860	PerceptionSimulationService.exe
5076	perfhost.exe
560	locator.exe
4688	SensorDataService.exe
4356	snmptrap.exe
4252	spectrum.exe
928	ssh-agent.exe
472	TieringEngineService.exe
2532	AgentService.exe
932	vds.exe
2304	vssvc.exe
872	wbengine.exe
2912	WmiApSrv.exe
3652	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\637950504d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bbb03351f4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac424b351f4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a3f89351f4fda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506133627800989"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad1d06351f4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a86b33351f4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
2928	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
5640	chrome.exe
5640	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2928	1600	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe	85
PID 1600 wrote to memory of 2928	1600	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe	85
PID 1600 wrote to memory of 5016	1600	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe	87
PID 1600 wrote to memory of 5016	1600	2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe	87
PID 5016 wrote to memory of 5004	5016	chrome.exe	89
PID 5016 wrote to memory of 5004	5016	chrome.exe	89
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 4808	5016	chrome.exe	102
PID 5016 wrote to memory of 3704	5016	chrome.exe	94
PID 5016 wrote to memory of 3704	5016	chrome.exe	94
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93
PID 5016 wrote to memory of 2296	5016	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_7d63c0474251e3079c7510e37f11fdb1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfb589758,0x7ffcfb589768,0x7ffcfb589778
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:3704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:1
    3⤵
    PID:2428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:2844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:4996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4584 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:1
    3⤵
    PID:540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:2
    3⤵
    PID:4808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:1708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3300
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x2a4,0x29c,0x2a0,0x298,0x2a8,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:4292
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:3332
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x28c,0x290,0x298,0x294,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:3664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 --field-trial-handle=1744,i,3473140515680363867,1301471796933442936,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2716

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:5420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
716KB

MD5
5ad8cb35872f7ec0519922c2b5c2f504

SHA1
e12235e71a1af4ad5d6ec553b023139fb96c24db

SHA256
5ea60ad8821c19b67853f35e7c042b4dd8e2739cd1e38f81b6cdc52cba5ef7a6

SHA512
b27ad6693fc806d12901a2903aad590fa599805f7e15623778985f7bd7c8b120928f86dc878e8175cb27d6ba73080a78731fdffd1e8f6bd81f4f2ef8e56b9d9d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
279ee41c69b060c88db41a3a54993df2

SHA1
0d0346fbae8cfb9028573a232a6109ee5050ff4f

SHA256
0c0f2198188b6550fdff66dc155ed8725de3d973ac8d7b2d1156b320f2d45083

SHA512
4f7e92d5fc3902b9729bf44c3e4ef03d60838cb1ab360d6b2a2a0573203ccfe6aabaacdd14e911bbdaa56a76d7b3be75c94c8fde6cd4e1514272c1d9b7962f43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
244KB

MD5
82053e0f60d43f940abfb992dd90fe22

SHA1
0534a5dc4efe82f3a884134073e4df8cbd83c504

SHA256
886069fa8f97778dc39cc6ab1b3cdb2abf9ac510314425aa014c467cb6010774

SHA512
1e0e9f3ee13f9e7a8e26efacccfd17b43233fdeaad59f4f134c15dd2a962064e1e69886dc2d8083c2be6ebd14ef10a780c53a5bf5ae2c6ae0f80ea11ae9851b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
350KB

MD5
a7fef02fe125d801fbb2d18603fb8e1b

SHA1
f9099a3c850f963090270be924b16bea58d3d75a

SHA256
66452ce51bb82e5143f6ed1fca93a3848a0a5c7190f092737bc4923ef43a3fb3

SHA512
8d82cb4e7d30d07e95886d66d06cf0979d1493b0c76234e4ce2c7fa59af6a68ab381e64dff13d8ac36d9e241b3036dd83d6224296912022426e4cc43157ffac6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
590KB

MD5
dc2f7c8c4766e7ba24a71c5897a589c1

SHA1
dc1e1f69e19afab207649d401da3e6f2b82db1c4

SHA256
b74de4f60f6d2cb22647fd77186539c6454adfd4206c059f7f755d5fe7d99b55

SHA512
df1e80c5770fdf65baff254039d485e7cbead7e743511f2e2fa7cb585e2f748d59468c65b6e10796e36e53f27e368d97faa6d9b9d768d27014a34b50266ff157

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
442KB

MD5
465a8b10430183de3a76e60d73e4769a

SHA1
004f0aad231a0df79d3bdfbeb03b304558dc7bb2

SHA256
86de42f2ee0360bdc6088d0e65983e41de501ff9508467211d2e2386701355cd

SHA512
541a8c9bbbb798703657ce2b99ab83f3fa4300120281b05b6de96beedf68b222adea0c30127f634797e7e8293cb655de1a5c9920a9babf5e6de1cfa270e88aa4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
570KB

MD5
2f7b6ddb4847806dc5eedf3af7bb57ce

SHA1
46e39f72b195daa146338e8fffce04b235099288

SHA256
7b271e3627b82dd0fb500ef9b9802290f83b21c342eef325f6db5d7e0e188787

SHA512
5a600fbfe3551408ca5c984c6395a978513135744f6933f964f425adaa6f2322b2bcdc03d6cb41addcb6d33c511ba63cb769a6479c1a41b63cb299104f120dc8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
323KB

MD5
e3b5c0e92d3cec1d984f0b7510715fa2

SHA1
bf671a7a1893d37fcf35fbb9a0e03a419c52475e

SHA256
ef01c80f650510514cfac2271fb75c68e4220b230c61530e362758a765147747

SHA512
a147fd69a77fed959046f78186cae40c1dc17d4bd4eff1e3fdf3ac13570faab4c009854499c1f067936a1d1ea9b851f9d2c51da92ae8d487b1a1e6c9a1b27ad2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
407KB

MD5
c6f35d20d39adaa8b2e190b5e79e9ed6

SHA1
d78b2989ca9242ef2098cc0d0e9f127a27e76b90

SHA256
daa8fcb149099b2debe3de186ddeb402cc76527489b5f0c807514803dec40a8a

SHA512
6a826e4b3b93d8580ae123dd59b2c99597eeb91adc5c0008fea0d654a5bc3d51e469f90564af1029759e9a7496e7afc5fafe7aa73178b5dc524a5f437d4e147e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
260KB

MD5
084d97cc36aec82b9b364736b6dbf2f7

SHA1
8a69e6af570252f5a68f79707d311b9e095e4e92

SHA256
b0c28c0866d0fc254d9d0b5676c40b33fbb9969957593a1895f0bdf4f1dde0e3

SHA512
41701f828583d8b53bc6de830fec12eda156e3224deb8f719f8f0b2bbddec65de44b1e2d51abb2d6e2512b3bb8535db4da4d510905d7f03293c81ea2594a1a18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
221KB

MD5
d119271d674c92062ae18c3b8c0721e7

SHA1
b69588c1e0c4bd0738a020ce224d87caf348be0e

SHA256
745a5e9d8c044119c78f5034bee4d9ee80dca2173006a0fc800838263f32e012

SHA512
a069ea8cd87c334a911323e5f3cfe523bcd4cd8adf2b17387d47b3b2e7058a36510f2f5413b83ab773e893b069a72af1c0fc63e0602a7f37b6548f9b1dffd362

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
482KB

MD5
b316ea4ed4f843dbc069129af9a66ed8

SHA1
b3f8a8a729b24eb9b07ca7c407c55639a9596f54

SHA256
976f3ab03734aa5d498705d3557cb25aa042821ab3af6d086909076c99aa5a18

SHA512
d9cee20ddefbd22567e7ed95f519ed50e97a0f14ffef8150280b2faeb45fe2bdc6a65ad26856842c1bad4e420330b314896e52289c3ab9e68838afa6cbe07bc8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
305KB

MD5
2bd515bf833e28efea7487ece58806c8

SHA1
8592434fd8116000c5ae165224da06fc10ae6e8b

SHA256
7ac22e8a812830d129903b428c5d9025c7f395a9104dd3839a9716ef3296eb4f

SHA512
70d17b84a8e14f71d3aae680120368714549964e2874735ccea2ab8f79309cb7bc2c7ea20c288ae66060b23179b4d32918c1aba30184819c3bdbd39fbcb25d46

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
276KB

MD5
8a09455af8a3911cc979e5210e6c232d

SHA1
f5c00267ca52950a177ec51f4f0d4eb4da3a7214

SHA256
d3b3a39c5c66c9794e68a86122a71d2153ef6ec656fd595766e73526d297d9f2

SHA512
70eac37f7e476963f46042f2841c1743cf1e2c9c5a66b3bbce29a8753fc8eb10d7fada29093d98faf22e9d2df03692129ddfe225f9725579902001bb5e3594e8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
319KB

MD5
81616cfd7074e796545feace91e298d1

SHA1
ad466dfa0fc4155bda695efe32f786901a27538d

SHA256
5bcf92d93ea3bf4cf3c1fbdb8bb2ff51fba360f217a69d1976b7a799fc459046

SHA512
5ac431abb65bf94ad48a54691d1284cfebc7a087ece7cde6fe0bd91f6e4d5b73cda5dc6a802beda7077a44f7d701b821020caa7c0a712e9090a89de789ee9bcf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
202KB

MD5
16b95dabacc7447684da0a4418e850ce

SHA1
db89e592b70e92cc82a2a88f1752f72b12120d15

SHA256
a6f19c87c362559d7e0ceff3fff40ffa6ec6ec80d2cc4d9d08c41b50051029ed

SHA512
adfc4eff3337409852dc60635c83956b14703c78d7026b718e02bf2dc206e34b10e610529da61dbecf7162feed84f4469926cf59f72e4617f57f3bb1d0b6ca0e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
559KB

MD5
d332452db541d1d81d692ed1768f5482

SHA1
5d0e834c554d045c11df092b2d05492ca98e7de8

SHA256
abcd36a48495dae3d007e811b17f2d16d3bdbb960fa5ac253079daf0d0297695

SHA512
59fd34f5bca551a515161488a6452f79481f82421dd40e3428a2d6f3c2dc0d4586d64d66702c87d968264ec22bc526d47c3e8331c0902d1a0da6d341442c6359

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
466KB

MD5
e0b5ba751d71dcd112c4341a3e390128

SHA1
bf75a85b9fe0237e2aaf55e2071f091e25c4c9dc

SHA256
d988b80ca33ffd79c38377049d8812adc3f6692fb584de0b7bdfc3112416e8e6

SHA512
e5f51974f2e77d32ed74a00525cf25a758f836fd095c56b52c80fc7068f386fce5f7902b2ddae7a47c7f1d7e9b133ce25a0c213e843c6a1ab061eed391da4d33

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
222KB

MD5
cce8d2db3b7ff51d11097f3fe7d5e0b0

SHA1
4e2dac9cd646e0543f61d562182a4a853eac7032

SHA256
5b972f058083a41e34000b79ccb1a41263a094e933af291dba5fc7e6bbccafe2

SHA512
017453da2b11b86b73215f4d2a8d77315a33398d392b2eb9e89af058dece5cd780cfd514110844a65dec83b9e30b83307179013730a7b353faef65cf14e9eb82

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
242KB

MD5
e99a7a67cfa5303ddebd3d910dc85580

SHA1
24b5312441ad0ff76c23255304f93bb82cfd1605

SHA256
99be83f14a32173ed1a2ba6ad3f42ac74c28055b97ba1fced8de138bdbf05251

SHA512
1612fe6eb191b43f09ef872afbbf2230e6c13758c0f92ae4ceba6dd4b625798d261a3945badca4f542f7d1433044c551d26c9fe8c1dfe60fc72d7c64a0598816

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
320KB

MD5
3adcf3fc953815d037788df70ddc7335

SHA1
2658902711deea6b20d9c187d4622d54227867ba

SHA256
443522fe34586074e8f5fed9a3d7cf26fbdac7d93742efc5bc68d901caf4d1bb

SHA512
bff3ecd92cdb8f3ffe6b3c9314be24df2dd6460dea7eebd971717b3b099d67b6908a966140a3c8b386fc9264c4eee77f408155d922d52e4fa2b852f6e4be51c4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
249KB

MD5
66328dd2d7d80b8c6e0ecf2ae078cdaf

SHA1
f64fdfe4b8b5225ec80bc50d26bd94ada703619c

SHA256
4f0163745193d8b31c4c68d2093ae7728e56e5de5dcbb2ff5a090b70233bc48e

SHA512
2bed4c77f56721a964d616a9f5ab40cc817de594a5cf3b24b76685ad1945a42917649b81e789c5a3a79e02b9f0f568b566ca220bee20411fa9518f1031ef04a6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
104KB

MD5
7717b61b393839b463d0ab18aef2c1c5

SHA1
4607aae7fae450e73f370a853b5e80fba674df33

SHA256
23e5cb26027c259d6240830d17fc3c44c2b427a62a3187fd34192431dc0242e2

SHA512
68cfc8bef95af33edfe6a980ff37f8bb1622bd65668e872226909209397d153dc6a74d58ce03a59b116ff1b35ed6d66de47f7fca52a1a5e3d8b354e4c9a2979d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
376KB

MD5
60c948bddb0076845e261803aef0aa7d

SHA1
34ee5b4911a07377715aaff2a39792bce869ea0a

SHA256
31dcc98f519e737263c9b74a1335614f3a0fe3829b7a46e727fc54a2a9c826ea

SHA512
982e3741471d5599886820203cb913fa72aa223fb2bcf00ceb2681abec2c0058fc70ca8ab712288eb99b596e93f02326259bb6f220f143199ea3da9423d241ef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
368KB

MD5
4ac6892fd22174eb9e641567381a6303

SHA1
6f27ce54f5a808fc1fd43351001af0dc24b8fa83

SHA256
d1b946ce7bf8f6a069eaeaa149a34b9809041d2e33b2a6eae1a30e1b1e66ed2c

SHA512
ea4dc7ee615118655182ac90c37e7670caa0f4be8e845a06b8ecfc426c50b33ff9976aeeee89a0cf1978192720b69ae9880528f97ac99d22fc060f3dac723e13

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\90e6c02d-9adc-4e87-8656-1b7c441c3340.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
350KB

MD5
1a48e85aae2cf973dc770e3f75da1202

SHA1
025dbe0562e730b4a12fa64e728d13c7f6db8535

SHA256
c25305a0580c538ccd620b9542567a8bc817c09bbe4d39585b30e9000d8257f2

SHA512
c600d4117155f83666a09637873d6c1875371d8255debe9a43448153e24570c32139d265841386e73da54d92244b1f427d2767640f5cd58d0f7c967764bf44b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bb2cdf82802bf69b297c9fae3fa48e85

SHA1
f26dbf7984929197238377b2b3e37f974447448d

SHA256
29998264d3f24068d6705e32cb6306f042797a0025aaebda57b3c581a49be0c7

SHA512
00535865805747cb5fe10f4f67872b52e94fd0ce51937f94a7662254027919b13df4af538557116cd4a8002afbeb295c601a79d5e64c8d2d2de9cf377eba1db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ac63690b8634b2b274c6fdea9ccd5238

SHA1
f5da6a720f09e0ee97b6addb660f9a0a16ba387a

SHA256
eb705d5570e3d9edc0198d6667f8b916d40cb4020f6f109e922e9fe6a803320a

SHA512
bb4c79df8be34eea3b890da0a59eb1aa760346fbfc4a6d06e50be285b16cc30d7ac9187f8addb834ee2fe7389c4ea81501bdfe1dfa8d59e0433c1ec50f0e4e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1eaa6d03e4538a7fdbe5dc352270aafa

SHA1
591e4df583711b7c2ec76e75de2084f29f94fc42

SHA256
c4938b20e20da8bc41c2111f09e55d1a48a2d3786e55b51069c0bdd7a6603eb6

SHA512
a4a48d84da46197c44470089e7cc5ce2d4bcf18b5e842d8a4a30aeb05de65480ed877db1c5117104c760e31427fc27984aa73234c4573883ed4cf4f061a81ea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
07c02e55faf8935458d9da9f3fdb3a76

SHA1
304630a68df0a9d29d46ebdf487196f85e0b69d8

SHA256
498a0a36730940c995f0d78c2859fdc2f6dc66892cf2fbe85f41cbdc16d4e790

SHA512
59738fc4894854aa15cb963aa72e9be2e18fd74c174a0bfeeebaef630e9e4417e5b86bce54c330a6fb0ea9d7513a027e9130f74015d9b506b1fbe40f0fad9a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
330ab29ab4f8efc8c8756abca41304db

SHA1
586f3e8ed67284fa10bdc8603126860c56196803

SHA256
9905488344e765326bf8a1f1418e6cd144369763e21564b4acd088e704d603dd

SHA512
982e37185471b964584aca0b4f13710d3b34454372ffa3a8dccc556e57446299f907a82cbd8e504aa1a6284ea14edf5755f5f78389c9f43b3b1670644da05c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3bc5fc0b91e6a97a0a35fe4151d9bc5b

SHA1
e24474b27f7feef5bb93874b2e60cc80f2e5074e

SHA256
6c2dc9bc160a27f2a77da13c6307620eb816b8cc7eb8cf3b40f7ddfd95881b72

SHA512
c0e695a449f008c9464feb0782595b977b8e01eae43e0dae511dcb01771baaf1672d60810601661226bb97bf62b4543911f8ea56af77bbdb59c1d9b58246a443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576745.TMP

Filesize
2KB

MD5
290e9802629398a9ba56cfb50ca5f135

SHA1
3baf9a4863eb4a435da55f93e82a8ebe7a9f0106

SHA256
bd3b2b7f2fb53d7f94ee52219c2d5bce2b8fc511ca64df36236ca30e77e74f2d

SHA512
4eb9a305aeea0b1bf7659dd87c24d251cd182b456b18b776f3f6686fec05586cc648614b8d9090685b7d023d61dfba1cd733d357e1b3962e6be9789b879f7772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c2f8a86ec8171a2a875fc0c4a7bf6507

SHA1
face1123d7ff2056744d891fdea7ef555a8b0b1a

SHA256
d079f3c3f290682b9c21f82fffdf3814ee003295a6bf484f51db0ad6c57fb220

SHA512
5314ac9302b6e2380131c21dc57ef9a58d68e60ac9fa2786d18a5c640b7e1804fe0d5111fd792fe64f649da9298364d9bc7027f7f79a6f520df5ac25e9917dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
d0f3cf42ef57ebb13140b6fc4fdd4436

SHA1
bcfa54847d64edec5602e512f000cd10694a816e

SHA256
6bac68ca6fa2a6c246a0e3108fce1bde61c74057e8f5720330a45c2214241b95

SHA512
cf32e6bdff93eeb5a27efd5fe7eed1ceb18317a31fb3276f05a033efce321584c3cbb819e5970c4f0e4755d3b987139ac03c599761c5e2c62d6219bcf7dd018a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c80ce531cbda1e2ac17c159262faabea

SHA1
1c3f0a33eda198ddc18b264a99b826f20e8bbfdc

SHA256
9bffbe9dfe3880708e633afb5fbaa4f8617752f403e6dc919be5c9c3874dca63

SHA512
5eb2166e12412f8010994e7ccf37480573e01d21cad0128ec126103ba2e337e4de8d21d361b9f3a22b1f18704831b260698f88795e41bf0fc33cb8a531d341cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
823ce6a1eadb5007e0159f3fb992b5cd

SHA1
53d4a4e89b8ba88f98d99d7c098a77e7299c8075

SHA256
e455327cbaa5381832054f4d75949e31e637cdf6d8797413a918c90d2b32abde

SHA512
cb9634ba8c9e7f64b9f09888577a85c7822cb67ee8a1628e9075be03c0ce3c1aa7ba26c2fef837c6fe5d83999cfcc9b605f698b1e06a285ae3dbb21baf3947bf

Download Submit
C:\Users\Admin\AppData\Roaming\637950504d74bb6b.bin

Filesize
12KB

MD5
4ad3c572e129895bf9b7f74644e15caa

SHA1
b0a53ee1cb8cbe80f7c661d9b498297b449fc764

SHA256
94a4e495be28fb696d978d4a70a6d283abef598ca3628b3375dc0dec183385ab

SHA512
4c586861584132514cc43c5c8f7177d44a6d3bbb7fa05b72a79749f0796c9b13b18741a266b9c2e7db15a7dba9ec2709d57e47eb417281608eb7a075408d8854

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
76a8c9088ab9665c68f801dd9995203e

SHA1
0d16e64e889f6c96be7a9380ceb044e6471accbb

SHA256
6895c15d68d2bae7057e42adb31c15de947c3d792e5019ce5b0b25df97b226bc

SHA512
ea42b7694ee824d5cda9fe8f159a18fb2aa4fb7c36bffcc01216f5d6ee4f54525b503869f15c87550d4bb725297294f3e57c66f48878782a125a760372e50c73

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
510KB

MD5
f01dbf555c20513987ecf41824f5288c

SHA1
f0b8b3dbfbaebaa3714cdc99562e76dd30c2ff3c

SHA256
c55c03c2511b858db64f3999c6e717cd6cac96b8d8618b71ae21fa21ab18150b

SHA512
4c7cadc694b6a3e39b96858e72aade581ec19d8a2cace55f64ffabbae8b2113bfd5047c78c75e8563e63e85b2759fb2f5ff4e3c86da2b07298ca92d866d16077

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
6cf6c68a1734f4dffdd56534e5b196c7

SHA1
dc7094aaa035c69e307a1beb30c764d344a85625

SHA256
7fbcd9d57095b3feb836bff78abdbf0cdd6faaed5440558dc1a049bcb96a09d3

SHA512
1f3feb25d668902d886bf1e24999b21e5549aff8d1f0bd1ddc2aee3f4e72cf74b10a712813d93d42ddfcc495c5499bb0b2a1450b099f2d7e4ba5ed645ee7d58c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
863e87e798f1037f18878b06a472ee27

SHA1
efd157fa34e3f5cb19bae63835ded81722012692

SHA256
b819ef7ef2f6c7d8115bc91657a8afa40bc65d10533e8c2a1ff81bf8d7d983f3

SHA512
a8bb6093158e34fc2240fc52bf6e9d5e434024135486946a6cb25d478e4a6ffdd180b827c040b5f2af1ef73269ddc10c46d55d529c515fad1026166078f4a578

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b888d3be71924402136ffd3df9b5912a

SHA1
18269e2fdd9401383175758581684ca61b127b91

SHA256
c538ec82a191733020f98932540e0a5b7a9776a285391777cab0e87941e2a62d

SHA512
dacdf5afdeb68e59c63d9fd865561a09aaec8a9fb5c986c35bfd41f2a1b2d0540fb28255e87c9b8f8467eecdff3b134220e59bcce0f243eaacf1b353f6b3bb9c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
493KB

MD5
e99f0aff2268a19c14fe94a567e92171

SHA1
21af71b12db0540719f24d0af371f27bd84e66b3

SHA256
2f76d78989965cafac7fe4bfa7bae0f7877c8f5bc9325dcd54a33bafe51c2888

SHA512
36a0b74db1289bda3a4fa1d94be07eefcf93b063e7b588d7c540d0c6ae83278d00ab67b723775cc09aff0adc9f9429a5d4e088020c5094973aef61c8618818f0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
408KB

MD5
092306a28f3f26c75873b87aa70d5ed4

SHA1
ca0c4338276957f083560e9156457080de11efd3

SHA256
4bab3cc6b23e79ac07a322adb57ddc00fa23ec0cd33b0778f9d9d02de4275423

SHA512
0999230afd143b7086cc2973f64c10b29f2a612371ca9de4acf6e705b29e8e8d063ffdb1fe83bcdf0327619d0c96510f8ade515f7d359ad19d5b13986bf053bb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9fb17a92eb0978f687c1ef3b1715f509

SHA1
9d952d1e32d14e4af96aac929127280fecccdc8f

SHA256
7ea6bc8535c64cf0826e7fd747abac5149467a2efb71e0b9b5c6d7f2d3db3663

SHA512
3964eff9502bd1d91fecdf2e1f192cdc606327e8785c6820470c871d9175c66aa8977949f6177811eaabfe01abbc1f85b49a30861f6ee04bd0bc2748c7ce1a3a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
388KB

MD5
613148878f14c83f36c2c3eb5a6c5dbe

SHA1
ca13f1c3b923068a5857f38f6ecd04e713814dbb

SHA256
482a8ad866806251e32dfa589e1f02f7b082552f5edb244b93656336db5e7ae2

SHA512
bd87cd46219e506e3a1387c7771628a041abc606028123a663489ec45af3128918d446978c360a4a27c1bfb991b44545463231195141005f97d812c797633fc6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
745KB

MD5
b032b00b3982f0aecc7b0d8ca9455991

SHA1
7e9a5ff1fa5cfe66c048b6615c60d9bc46bd949e

SHA256
28f8dd7de51d02420c21f3692094c353e4e2e831725a870137b950ea629e7bdb

SHA512
997c0f542565672919693ec75ce7401c3811f57a6f8dd9254c1785ab7a295525445b1281ac3092f8fd09afd6e5649eefab60dd5f7dd09dc10c5459511b5d15dd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
648KB

MD5
802f3a5a2359269a8e0fd7e6f7e09d1c

SHA1
6135afc5de14f3d86ba188c464b75ec97bbefd66

SHA256
b51085c1015acadc892fa4e759d963f4eac65d6b4097d3dd1a4e2b6438d1803f

SHA512
50e66ba6cbc3aa8b810d28ddca4ae42706f1597f205cb533c1e316bdf6d2acd5027599f747aff78647a05e36a6cbc2ffaee4dbf0e47efbf189d1f963c267cd58

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
790KB

MD5
938ff7052a00a615279bb2cd9b81065e

SHA1
d968038214fef32462daeb3c9cf824144f9bcdf8

SHA256
0cb361194e1fad3aa1d4d6875e66e8a1533abb24150790fe1e899aed81c5ee5a

SHA512
143b35fa3a4df1ffddfd1419807119b577fd98d0a4cf33bb545cf72b9e812ecf2804b831a716edc5b3cc6e1cffc6f48b645acf44820e9c69f841994dd70b48df

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
592KB

MD5
511ebe5f4e8b3bee582fb74c14c34de7

SHA1
372e72dc3f03f5af3f2adb3c34084ffe66816493

SHA256
673350fefda4a0caff1be5eff1d567ce639605bbce71d7788cb4f6cfa077db18

SHA512
39d493bbb6931d61024e40d589befb6a9f93ae1d81c3d9e81ef4a788984cc883abd2754fc3449626ed41f059cb67f0bc9352521011231171b045958f2e22eaf7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8e4c05ef58dcd333537f69d4fd5eead5

SHA1
4d99ff76a445bda6d7de3b3ebff6a47666de181b

SHA256
d32bf3ccf863a642f960196bb608aeba0811079f4f3f64bd67a8aec2e1d449f3

SHA512
476bdae6c8f19867375229d3f09baa6794bafc12a82538e1bca8c460feab6716a0ca58ed3af37ba1932549307760d5a15dba877b18ca84da240f976c12347084

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c729e8e78bc94c512740695ff017cb54

SHA1
976e00fa249a137d19ac62e1fcca6cd6917cd352

SHA256
06d1fde502520673bac69dc9e9deb2bd2947a92df846913772813ef967f713b9

SHA512
ff0ce659a02c5b1091025943045bccb4bedae45faf9535155401551096b7226cdc57c1142062b910e65fc80b86eb5b1799a26cd0c0db389aa5eed6a2599565f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ae1ceb3aa803bf587f3c81d287095c5e

SHA1
5364451c061f5a88787c9766d5347548742be091

SHA256
86b865cd16b36e4855a13aa1575177fe7d7714bbb6d63c6ac6ef653afaef8277

SHA512
5583d8f824e1c6ebf24609573a65a2ab5d4cebc7435f78f2cfb9228e563f6556787473b30bf7a577889a9162f4ca0e83ab226a04d2481604b0a8be7190260806

Download Submit
C:\Windows\System32\vds.exe

Filesize
567KB

MD5
2d59bb0f64d6e86dd5167a4ae3a7872f

SHA1
1841a2378805de8968cd66b99962622c2dd505c7

SHA256
f4edf222c80aed65397894a543e67be74762bab226ecf2f38a8c0971aec00575

SHA512
40a515f2961f777f4c1ab061fdc2ccebfb7a30f93b5d0e219ac6f49bd7b9cd62f0eca896bbc03173687723ff4d3c52a18eb1f51e0c4b17349cf15508c6b69ac0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
257KB

MD5
2aac19c6df7b2f88f5826becad2e308b

SHA1
fb39742c270d4a8cde12b4daefd69af5b30dac39

SHA256
c4a1af11fb017b3f0c46144b8ef3e68e7f07ad33a6db042722004bf5d2513722

SHA512
31a387bcef4e208607793e24baf6a57cfeab522e051bcd69d55d1c42cd7f9da09f13e27c6a1aff9874dacf2d0f16dcef45bf29352802459e864bcf19ae0d89da

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
468KB

MD5
058e116a6131dd65bc6727f0f1a52f92

SHA1
f6b8283192f8e4e691f7cc0e75eb4d413bd0ff9a

SHA256
585dd2515281aa67fb74bf3d46d0084befba462a98a6f242bc5161bbc4446358

SHA512
7762b1eb3afa9bd3159b7425ef7d0e214f9e43e549ec16588294d604388b0703d52ee73617e1d8ff4670e0d0abf84b1c99deb103fafe049847eb55d833837729

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4c673548cddb6b082f48537ce42f0278

SHA1
7077489247ee9e8640de79562dcd484db9f950e5

SHA256
2727141051205cc7df3e821fbc031eda6187e568a3507ee24d00062678d9d666

SHA512
6ccabdb781dc8ea917193221ee4a0b8b03f573eb0055470e68a5eba793e5a501a48ea3b0044780160ebd922b13159a23ea8f9c07d8956d612216291573bfdbb4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
683KB

MD5
d9b0b50872f2e7ba824490a6f7fdbf8a

SHA1
e461f5048ffbfbe872f9059c4e26337006520e24

SHA256
6b1fc2c71f597e3987a2555143c116c6189593b559d67e35625a99b9f8ba9a2a

SHA512
0543a458db0a94cec8dab198ed60d9f85370bc5de39efd413859d9a8dd6ea516bfe05927f2898d35c5b729012b4e84075f34e56c7f26ce88d888f6bf4f0a1c24

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
655KB

MD5
9de4a2a38b86a6141c2d48ded8222ed7

SHA1
6cd9b618fd6c683e9d191eca9645c14789b521be

SHA256
1352e851aff89b858dbb4211506f7057784ddf64f50cbc0e69c2b004661ce00e

SHA512
57acc11d2a59cdf60903bc301b8d1921fea5b2797c6ad128f069439978c4beb0808431863b755f4483236066524f708d05e8b2e17186000abde0a6c3eee8817e

Download Submit
C:\odt\office2016setup.exe

Filesize
454KB

MD5
50265c1ead7acb2cbf020b527473f452

SHA1
41295d3814678f6de52b7b1c4115663b7ad6b422

SHA256
652b6ca9e100ea7a88a46112d7a85d7a87e2f345ac95c55442cf90375f08d841

SHA512
fc6c376d07ff30860599d6a4ea147b868361063e914818d60cd8a44dedc56be2fe027098dd2bc66e6e7443db9bff05640140a3805796428e795f09501dcf41e3

Download Submit
memory/472-565-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/472-574-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/560-564-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/560-500-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/560-508-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/928-553-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/928-561-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1232-441-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1232-449-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1232-459-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1232-457-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1588-71-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1588-98-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1588-77-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1588-78-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1588-102-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1600-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1600-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1600-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1600-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1600-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2272-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2272-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2272-112-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2272-46-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2532-579-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2532-586-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2640-467-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2640-456-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2640-524-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2716-61-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2716-316-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2716-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2716-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2928-16-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2928-29-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2928-109-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2928-15-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3300-290-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3300-287-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3300-363-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3300-362-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3300-297-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3332-326-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3332-349-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3332-319-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3332-348-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3664-331-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/3664-338-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3664-401-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4104-26-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4104-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4104-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4104-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4252-546-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4252-537-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4292-304-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4292-398-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4292-312-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4356-593-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4356-533-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4356-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4540-497-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4540-438-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4540-429-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4688-577-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4688-519-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4688-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-471-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4860-484-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4860-536-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5072-97-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5072-369-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5072-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5072-108-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5076-493-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5076-551-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5076-486-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5076-560-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download