34b934174c2cee66d87f80d33bd1f3fe88f197e1a88daf7846edc41ef9ef4777

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
Size

4.6MB
MD5

5bdcb48f84025cb3f24f229f5789666e
SHA1

6da21e77431edfb93aea7b1d5df4209c3f130854
SHA256

34b934174c2cee66d87f80d33bd1f3fe88f197e1a88daf7846edc41ef9ef4777
SHA512

c16daa23aa258ffaa66da9264bc6783103a35b69b2e4bfebdc33420e94708f538ddf816a221291cc292c0441f87423ba7dc97bbdf400356f219ec8f08ae7f49b
SSDEEP

98304:sVMGkCmjQ7ZmgFrg3LcQ5kVkc2v7wRGpj3:sVBQQ7IWrQbbzF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2396	alg.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
3536	fxssvc.exe
3312	elevation_service.exe
5072	elevation_service.exe
1812	maintenanceservice.exe
1992	msdtc.exe
3532	OSE.EXE
1244	PerceptionSimulationService.exe
2692	perfhost.exe
4584	locator.exe
5108	SensorDataService.exe
5028	snmptrap.exe
4776	spectrum.exe
4304	ssh-agent.exe
1636	TieringEngineService.exe
3548	AgentService.exe
3508	vds.exe
2400	vssvc.exe
5136	wbengine.exe
5196	WmiApSrv.exe
5292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f45b41836319cddc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5F218BEF-EA7C-4A5A-8DCD-3014BB946029}\chrome_installer.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000136671e91752da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a29b42e81752da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a9f0e81752da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fa80fe91752da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecc954e91752da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc068e81752da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecc954e91752da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4068	chrome.exe
4068	chrome.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
1568	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
2308	chrome.exe
2308	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3524	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
Token: SeAuditPrivilege	3536	fxssvc.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeRestorePrivilege	1636	TieringEngineService.exe
Token: SeManageVolumePrivilege	1636	TieringEngineService.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3548	AgentService.exe
Token: SeBackupPrivilege	2400	vssvc.exe
Token: SeRestorePrivilege	2400	vssvc.exe
Token: SeAuditPrivilege	2400	vssvc.exe
Token: SeBackupPrivilege	5136	wbengine.exe
Token: SeRestorePrivilege	5136	wbengine.exe
Token: SeSecurityPrivilege	5136	wbengine.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: 33	5292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5292	SearchIndexer.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1568	3524	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe	84
PID 3524 wrote to memory of 1568	3524	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe	84
PID 3524 wrote to memory of 4068	3524	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe	86
PID 3524 wrote to memory of 4068	3524	2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe	86
PID 4068 wrote to memory of 1500	4068	chrome.exe	85
PID 4068 wrote to memory of 1500	4068	chrome.exe	85
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 1624	4068	chrome.exe	97
PID 4068 wrote to memory of 3644	4068	chrome.exe	94
PID 4068 wrote to memory of 3644	4068	chrome.exe	94
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93
PID 4068 wrote to memory of 2272	4068	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-28_5bdcb48f84025cb3f24f229f5789666e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=120.0.6099.200 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x1403970f8,0x140397104,0x140397110
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:2272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:3644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:1
    3⤵
    PID:2556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:2
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:2544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:2928
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1968
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64f837688,0x7ff64f837698,0x7ff64f8376a8
      4⤵
      PID:2824
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:2448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1880,i,13820046733421510742,11714314762337593251,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd70ea9758,0x7ffd70ea9768,0x7ffd70ea9778
1⤵
PID:1500

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64f837688,0x7ff64f837698,0x7ff64f8376a8
1⤵
PID:3592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2124

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
630KB

MD5
4a731deaf47e89e30456e96b395302a8

SHA1
95dbf2e37fc6adfbcab42fdaaee589da53bdfebb

SHA256
e85b73c53ed02c9dac4c3ed3585da63966d8b394a2400da993cddabf759b1f9a

SHA512
f471c8443a9f8b81d212e4191cbd6e7d6074aea9e002f670668f7a01537e239a5b94ea24337cdcc09a125354261c2b13ad20e326035c4b2521bc0174ef2159e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
dd0996c653df271084cb769c6a14d982

SHA1
d532684ec4cf9c87aa72b3a6e1b127dd6918c061

SHA256
d3ec0a0a829f512130945ae5c676908cb99258145dfdc48cef65757a38962f6b

SHA512
caa96427f106235848165cdfd5d4cebb10fe5530936201f8f1af2db0d7de6a472c32884e137d7b9fb2e700be7d0373c6d1c29dc5f3a923470c0ac567a9290b70

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
58KB

MD5
a9b1aefa44e2ad1e76d39a83d22e50d6

SHA1
3a4b65667fb6334e7cea8b4c60acdc6e88ee444a

SHA256
a65bc27d0b4bd3f6c1b89ca74ab631d84d60844c7c6ec441235bb55858834d8a

SHA512
ddee61dadbf063b038021ec3d0fcbbb8bc1cb5ef5ee09da48b48dc4dbfde9dfd7b53d7ee93b6bde05659c7b7d406c6f88b9ed161215b3f02861ab3846d02d765

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
675KB

MD5
88059d3b7ac5f269d9beee7ccc78b8c7

SHA1
abd7a920df2ac7af52ea31d770d13fa80fb750c1

SHA256
3c66f867c6c7c059304c905d47472d0f041724a7c87f7e4103f216e3420cfd97

SHA512
5de722c1d979e02ffb779070ec9ba99c775a49848f27f684ea456143474cbe4981340bbea28b7e4e43ca3ebe0ee7960d8020e85d14a643f19d9901e7480c3e29

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
692KB

MD5
35263131c5cced483cccca941a82d17f

SHA1
09ac43b81a7140b059a5cbb3073e09d98be5e6de

SHA256
4e1e08a599c13a4fbb542d408fde754b57bc217f7a3bc1cf0de3f30bb9b98a9e

SHA512
33f8a36f11d6932bb1596d1b50965d71350db7e9107fbb1bb0f1070066c5ab77df551a92cafe1217cb4006a437ede1794f5e931e6a071146744d51fcebfce751

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
770KB

MD5
99bbcfe2981ad38623312cb817322975

SHA1
6b79c6142e313c1e125d2e4537b0030900cec883

SHA256
3252ced1c32de544284875c35b47eeeca088e3682843fdaeaaae9a559fa7cab9

SHA512
bdfcbe5f1f96b1164c3dff6deb63fbe96989b7d89bf9300d26436d85789f309776bfd1f2e248a26fecc70df087e2c92def36ebe611483451809b18c91bc13cfb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6b72283a2f54b9ce6f95e5ccdd7e1f9e

SHA1
1fc09192d8220d43eb13a5ce0386c0b0b751511f

SHA256
cca6344c92c357536fcdc4fa4b9bf4c19373f0c85aed0501e6595305d1d852bb

SHA512
003b3dec4db1507f125feb43757945fd28776cb64329643b09ae3e1fb629f3cf084a097c4f441d8957d2670dcec1f621d5554ba4a676826b4b6584e54cd2037f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4066b19288b0bfdcc7b72181ed784c9f

SHA1
476966cad51b151c7c937e6b48c742c36e6dbc66

SHA256
0eb68e1222c3b9d42a222d52acf760dd346d1716300ead5d4e0a6ca2ab8a6a32

SHA512
4b3c55a8f957c0dd340cd5261a56382fcfb058a581aad5153cc4a822be2cd3c3dcf1ba07d118b2df66a93576aba1378402472975407a14a421c7c6ca14bb6e7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.6MB

MD5
3f4624324f04fb6d5e4155740b1dfba1

SHA1
f2818459d1bbe44186ace617b86a5a5e6f17aa7c

SHA256
363c515e0ae390d3eb8cdab5fa7fa5eda9689dd57a32d7b79c279519c0d6729b

SHA512
b56194fbf9fbbb1b9aa35e5f81a028527742f732b21b6e41836bf083f929f50fcac407442ee83f911e6f51c655a87619349fc3edc1b857e7131be811bc740faa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.2MB

MD5
f969facc7f9bbd00bb18486865edacee

SHA1
ca101f4a7cda42e15fb0d24bd19da65cc0fcf80d

SHA256
c595c330048275c23b4aee781be41ba0816bf8b3733d69db6a62122f296040f2

SHA512
45755723e460a4f6431b46c3fbedb5fa158766326172aca3dd0f8f043f336918d1e57dd85eeaec9de216981da3c0607c4791814934be4580b4e023fb1f1338f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.4MB

MD5
2ffd87f99e05df8e7abbecbac05e77cc

SHA1
0050906046d28f6d038c0599d6aa96dbc2e6f936

SHA256
7da1065c5b1e8d2db92564d60b244fae9d1cbbcbb5ea4397a3bb36034a04c13c

SHA512
8a2d733a1a5ed1ba17577fc7686556b1346593c4a5910d2cede12e7e649f3bc07fbbeeaf275ebd62a3104340f6e1090f1f9bc68881911166cffbd043a6905465

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dbc95ff02ba1e2273e24e7ecf7b5248e

SHA1
b23067867899b5b8d422be6d90cbcd90cd1bed5a

SHA256
fb666e13731e1ff4b73bad6a0302437a7bf395261afb7feb29ca60f067fc7bef

SHA512
456f83999e8577e6e49f9a0f527ba84759d20f060b44ee5d75baf7ac18528048960d71b5c98c64b879d2e075b2917e5072daed4fc5afd7ddc907cd5f5305644b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
693e73bb8d933e9aee325263c76ce660

SHA1
55f37e8439108bcf454798929e964fe369032bf2

SHA256
7e0e40cd5db680b328b69ca61e010c24b401de99c1cbdbd94620bba188e387c5

SHA512
b2a4a404fe53b3f2da183bc3431be20cb296cc3e094acab4740d49efe8b1d3c4185db35d59e3380a262f851f41419570895f312fba95b2871a05dbeecdbd28ee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
78d0b8ff14f935a4cf1cb207c96fd24e

SHA1
6a25e11b9125cdffbcfee4d42e350d71cc104d89

SHA256
4ace3d5b1568095acb672c616b63b7ce98c43295aa3eab7201f8910ab1c83778

SHA512
9d9e368615fd482c638ac6ae94568791e3353bb36d533abf7a076b336a72e0bdd5946f62c4e905d494bb325a164e3ba88ee5682d16830ad7d15ef84169333993

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
13563dce8329aed0ae12229b723d6c4a

SHA1
1d9935de0e335716ae16a74b959614c71dd1a24a

SHA256
6c170a9a751cd398fd753c866a7851742184669da30ecbb205d1940281b5ca82

SHA512
462a11138c2664b941811327d41e83e811ec7ba3bb12014143ce959addb3eb9cfdbba5129d097aca05881b20738b40884ed29e51375fd1c72a47b7520b43c730

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
542KB

MD5
fafe1bd69004541de681bc7537725ed3

SHA1
af1f4a0a19a0c0d40ec5929bc0b01be9f48a44e7

SHA256
2e3df33ac8f55280cd6eeb1973f5c272fe305257c2fb587dcb625895fdb21ae5

SHA512
89eb58f3dc4c7f246a1da7c36ac96d4d86fdcf8e31b448977e2783de0073849f0863571434577412d33195a159fdbf85cba4a3da1f46f5c118a5d6648f82eef1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
866KB

MD5
68e52af64ed579e0c3e3eeac527ab35c

SHA1
b51286cd6f35648bc1326946f94ef59bc186bcf6

SHA256
dd7115e94bf73f888dcae473826b58ae6ad3e1471cac97d68c05b4af9efaafbc

SHA512
4af246e26f608ef68bfab5548450207c3900dd65ff5d610ae7a348fddde7e8b98ad35db5532cf4b4cc5b29744e74c1cbce21d817be227738f77e88750f3d58d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
589KB

MD5
68493f40ada05f2fa014c701b9bdd18a

SHA1
d0da2cf394f23d8f72f16f8e5bb80c0ca2adbb32

SHA256
001e73845d0f4e9b25803235f042f38f90b5ac9314e19f35a0d92347b3744cf5

SHA512
668eb609b890354d903c8b75f80c3feef96b346b6294c046592eba13af31eb81836415d925f60af83fcd33f3290b4acc1c0b4471bc45ab5da753ab208beb9aea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
27KB

MD5
771c86f6295decee01e4507a6947e3fd

SHA1
2932aadb4d9bbc44412079fb8ae902557456edd0

SHA256
672e5d568f0dca0fb9058931276c7b2790c1472936932ef02d7454a16e6eb32b

SHA512
122b5715f0936d5992279ddb6244459b98b0fd469965b9a7f207c37470636462e75c4d6a0c29961f01debb714c4c3d799fa8da9cea92ade98b52ec091a5d7fc3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
973KB

MD5
a72cdbe20ffcc57dddea7d39d049b209

SHA1
944ac3e0449f7ef31e152eab5c59d3e3d38f89f5

SHA256
d5092dd0bf5c5720ea46a45877da52ec268b2740dcab2b833eb3f7bf0c1e1db5

SHA512
ff320aa7791642a382b1e348aa5fc0da06d9f3a1d0cee2a7253e561fe66f2daf50652e488a558daa9f40afc394d6bafbf20ef32b3d04d5c6709cf866b9868c8c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
460KB

MD5
86bc23964b16e16514923a4c96e45f66

SHA1
1aad3e4b7959961e2390a47edfd8ba98db93d497

SHA256
67390bb67ef6dd457adff2355a61c862fb6966f568e0ef7c53101a20dbb74d44

SHA512
ce9c590537aa75ab213d74ac3316155b4530f727612db4a453f1710fc06e0168d85dae14cc0bd03f9edc8889d882a87c08ef1b83b4c20c349a71bac6331a2c9f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
963KB

MD5
1b6eaa34f13f50eff6d2aa58074d008b

SHA1
e9378c520b43151d0779627a78878a982a6f18ad

SHA256
e93b986e28efc3a92ee5272d050feb8676b3ff61399d0b47e29bdcc0b0729d9d

SHA512
4ac2f49e0bc6e3667fc74661a8b38e8f339a89265b0d35b1aca39d8f359395e47b30dc9beb1bb25ca6a3b9589cda091d4d2baa6bc5c8ebbcde737a678626f448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\25ccfdac-d4d5-408e-881b-1fe7ec8f21ac.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
88979a1699fde16b4c698f9cd10ee87e

SHA1
8a61fb3cde8d379bb8a461a7be8dc2e93b5ad2f4

SHA256
d147732816cd1a5a493235680728ef3dd4fb9be1713d565f63d72c0cdbf1a898

SHA512
fe0de028e0285c3dd5c4e37be64c6a5985ead36423345de1eeb6d3f5d961a3a811e14878e9d3c42de87744be3b5ed32d07a78e78ce5b0eca4edcb6d84333e3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c3e1acc8a1852bf9c1fdfb3ab1280099

SHA1
095a3d88675f67e7977d704dde3d620d6e5a38fb

SHA256
7f1cc05d42cf1ba5b09db23272413b8d2780bef41d25aa12d6a0d5c0c330a307

SHA512
07b2317cd762133669fd46b726b9c951b092d5bc2bc9675abf642724eb9bd257e0179c4467ad4b50d23ecb96aa85a8fcaf3be3491af52f0399dfa02e59afb648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
241a64cb0a08cc61b302a204fd9ae81a

SHA1
9ca79862ef51a82bbd1b480e726675f24145d4ad

SHA256
3993820f2b8c3766ea1f2f1c888e81134bd09079b6de1ad5d6d34b1e798577f4

SHA512
adfce70fca8b54c3d632bf27a8c293b345f6dd336a15001d03a22d64088bf0d664af0f4814e0fc937508673ddea4cbd5b87020b983fc66bedd35e4f27c71d424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b048d152844a06917c544e80c7e8d4ee

SHA1
18b92ad451db46d085bdf5e6dde6ec7ee83652e5

SHA256
fb7c9ef1d30a507b692068b4526c8c9b996ae13209b02e44cdaa0a95b5b68eda

SHA512
4ba23bf6dba0f73bd7a07f16aa303a5f6e5a417b273b8a605d22d0d7257b47af9e62e86b2a1ff44537ccddd9f9d1c7f4e891f5606f2510ad688e921a2f41e63f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b11b7d02cd65f37f9de92b47402f7ff6

SHA1
a3bcd9b570937701ede8715073192171d3cedf19

SHA256
9182ba54f3260338f508775c9ccd492128d6fb207e0f11218860d3447e77fbd3

SHA512
a11479d9fb6d02a27b2b26d5defea8c8dbb68d1504a46975c8fa153099a743b5a356e522691eb1d4e581bb60cb29fde32bade7b5ff92936d9f27cd93f0877f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c6e168fcdaf8f30ab19640786d92025d

SHA1
a66fb547f6c90e8a25c64a332b439fb7a9017a60

SHA256
facb9e272ceec77e82d9990422b704459ae2d1728d91d95f9975d7b51045460d

SHA512
4893ba73842a1d6c6016db081fa580f8ca77a9520272d46b80df137d9517fd262f753d62d420a6f02af0afa61abaca4f91639ab10b81981f1912ef07a12ba323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5795a8.TMP

Filesize
2KB

MD5
04decab333d93293c52719dd6d069d9e

SHA1
666ec4154ed6cfb6083b829b59329896fda40af5

SHA256
ffda1126708075502b138d3cdbb1b2ee38f3499746b56a97d7dd8e87397d25cc

SHA512
e151d35b3ce7e662e5440703bc1f05a65ec02c61a6ff39f47f970e5a8a092a93ca7fe8492d17078c895a528cd4d024ed52633a3aae2dd86392ed43638e6fac8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
24366a6d6f1ddd3c75f89bbc8beac2f9

SHA1
b5ee92b996cf59251f0464413dd5748b0db0eb1e

SHA256
1b253402833cd512c3f6da91a2be922beee8b6d9589c09925455d8fe0c2b15e5

SHA512
5d0251cc2d5a60d927a29bada36091c30a9150046061e6252e2da1d07f3769e1b9db3e8311b0b1248395a54179492f29c4b77f01d26da0b255286b1a31895a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
053d75fe8a3c17f8dc905babc6e8b319

SHA1
0509f7c828d2a01f0bc2b7f9451a8c0513d158de

SHA256
21d25d9f63ea1cac0076da607a80ffa2929e3d2dc1fecff5ee4c1b7eeea464e4

SHA512
5c0fd5ed47267f907b6d6e152740bd096191791da070e31eec6d93b441e9ca4cd84ba7ac560c795769dbfc5b34dfd7a26938525a81e130000189062378ad1346

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
162f5206abdd7d510231354ba2025b83

SHA1
3fd06b06993263144ddee9b3ce11a6d27175818f

SHA256
1824a7bbdeb659aeb0d02b53031edaea273b2cd2f8c5cffe38f69850800638ae

SHA512
f67ec4811bd5c8601ba0f97fe62abbdee83b44a14f242862ecc93c870a016dec525d2b6b9ea02de24c04e8b5cf79e6cc7d13cacbdc5c4fbba72d30f34df0d18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
a3a71bb0c661b919b3b47de90f0c98dc

SHA1
ba143e4555a5d13ef57fd2f5ffd58b55d48fd923

SHA256
8b45f47f0714d432bd957b1baedf36789ce489eac7f2d48cbc6ae73498b44ef4

SHA512
abbf664013779d0be86daf9e6b928a4672683854360cf922675cc5438f47cd0eb3967f3cdbd189a587ff62d429d8d9189c50d07fe52e67bc60eb3f261c21a9cf

Download Submit
C:\Users\Admin\AppData\Roaming\f45b41836319cddc.bin

Filesize
12KB

MD5
3c0d0d1df8525f0a5a14cf78e4952e73

SHA1
478042b72bc68a2d46324c7ba92068802a41f9e6

SHA256
2a9a7c2c7abab5248b1cfab188f8d2d828bef5928899a8064d18db32dc65be47

SHA512
59bc105d3535ae2a861d289220eda37fdcf1ef115cd41a044b757f6a0e9a1a30e58c9c7d2d1a2f8d3a4858bb8757d49da861cd9a15c5b989a30af74ea7ed7927

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1e657dc6afe3fb5e2893dc076c1a25d2

SHA1
a3469cacc063c3d9d771d6dfac9e0215506f0c37

SHA256
bc9540c4b6a574a90ceef0fb42cc9130afe49967865dd3a07f1bb631b793c6dd

SHA512
5b573aba28c20b6f644843c6a413ad8637dd433d419075120a21bd7b69866e987f0fdf51d2a1ee586de8ced992ff5336674c9794a9751ba2922704666f16f98a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aa98e1eff7a8f7faffd1a80d3cab3115

SHA1
20d292c975d752a2928171c908b3b292e59b2991

SHA256
e7cf42e8ba6610e68c91d03d9f4125ba75c1bae147f55c7a229c334fd6404658

SHA512
db6741025c091c1165011fc6984da7f22d4f520609e411b3ab2743d30b42e9c4b04faecdee4f73fe96c8f0f4ca7f756b4332e05a0796465a81e69019aa254546

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
507KB

MD5
59dbf592e37c81c3ad5dce056b926133

SHA1
2a0cb55cf35efb29b97b5f24c1eddacf16aa1c0f

SHA256
b66ba41a7600574a6e38b941410c95c2c03de748a38dfe6b55f96ee7a7dcdad2

SHA512
605ed346cc57fc26424f944731fbb3263223da32bf4d52345c7ffa50c25313b0e91e3d88e4bfbca09ef2e5fb04aae4c5adeb6c4a7050927e1c725ee73e1cbc08

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
820KB

MD5
e6ca8d58bd95bebfc0b6c09d8c88caa9

SHA1
20857fbd958a3bfc6452805ab00b4a4a82d8b8f4

SHA256
9b1a80438013082d6f65f292633b9c74333cf3cf264a2dccfcbd8194f2755371

SHA512
547f937bad1a54287b92a385a2a08b36da005c860ce4585dadbe29ba57573693a9c46d9f7b5ff7d246f2a57fdd604e7c2dc39f4f148583fc07062be74ae580e0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
581KB

MD5
ebf5e3f8efe1f179fa0b5878de416265

SHA1
f808322bc71e295d9290093ea1cd1915cfad41bc

SHA256
c7ca65361c51c0c5be880eed3cd407195e9f4c7e9c7f71d615ca78d4849831d2

SHA512
b6dad0a1b340dc4ab7375d6016a76420c016350b801f7c1972a00e49787f3a2b62bd0bcaa43335d5ab0d36414f2b91a51963ccd63a06597024dd26e254460695

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
88f3831cab730975bf78e6766875150a

SHA1
14a65ba5a8117b2450e17357a62365a479408867

SHA256
24a27931e2a60156f78b9b7659869725066a78630a43762fdce1b5c002f4e07b

SHA512
71d1bba664cc16ff2e4907d2d8f8c6d446dd701575d4f3481489d38dcbc69a4789eab1aa637b1d6c41f7659dff3d32df8fb27c0d1d10abd32284f21f80a2c931

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.0MB

MD5
256768cfe5664ce89a76868e3aece59c

SHA1
7ac103c42d31838a16561c45c6949a96d4410f47

SHA256
a61120c40c8800de75e404426d3f8f5c7fc7654f59db60c37a7f1e32be02741c

SHA512
c4ab092db4f13719dd955704fa38a85cda28786aaa77143d84faf86ab5d4d8457a17fdcd8e1f145b0b4e86c8a664260dcbdbf5fa48d49d9f7b7bd77de5ffe640

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a38ef1050777a7b7ff5476b3b7bc40af

SHA1
171636f7e3c9cfa56435cbd0e248cc43818e41a5

SHA256
d51ce02fb63980c5c1add4d91f687a7fd1a873d828573476868a9f0c723c05a3

SHA512
789fdd898104aa4700b74aec56ab9ab358641c6b08a889b961dedcf5297feef4d7200c72645b89090242c821d830ab6249373bf9a365dfd2750cd8848d313eb2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
326KB

MD5
dcdd1b890646d773d2411d8e4aede945

SHA1
2f6d0de992bea8b63f30ce13cbdc3471fd6a6e77

SHA256
a2b37c9d65ceeaa3b8cc53b1a6df70c62c0ff3c6ede5ba399b51ef8fcdba7c1a

SHA512
70a11baa0c347ff5222107b2a51c8a0e83e7bd8789e0aad05b5fe14e0e06abb6eef3265bf9da848d941f124382f6e6f612b2a4809f8e0e5865c6b234ee1cbe77

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
873KB

MD5
77b105a62e861cc12492206c8f1c3723

SHA1
08b569ba01c4253b57f63375c43c001e742a54a6

SHA256
75b8cf1b1dcdb69a3f67894f218debb1e71e2d0de06a0ba9c243d8dd99b7948b

SHA512
1a83ef2cab25abfb639967fdb33c4471ec9d430437a4af5523072bf2b462da5fa76705bd6b53b7eb957429ba9edabf21cbfdb377879393b1a62e1412d7408700

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
57KB

MD5
9a4da9bd9573d728b34b6a256132058b

SHA1
d919a52b511cf2bbe886cbb993b7ff297a16b9dd

SHA256
4ecba7c163215b8b5714f513dc4e40152bcc7a51711511e039849c33101d15ac

SHA512
f32bf1ddca2781b65c5aee4d2080c26d26347bf93970fd7f9f0df467da47e31eb02911ef3e7cfa3a6c6d1c3de5396efd2f477574ac2eefe53a1c88a33db9a50c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
70ade4ca3671ddbae56682e9524ff79b

SHA1
f7ce6f2c4b11e323ff03a00bb53b9684ad490369

SHA256
e5b679147acaaa3cc17abe4b75a2baa8ffa25891ea8f914382063748f121cc45

SHA512
0c6061de3abb950c817e4708e8549761d6663239cff9cf0afc2d63b3fd08284c6eccae458c6b82a1e86f0ccc8a72c984c4ef87c735c24d02ca904d66c6b6dfc2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.8MB

MD5
32bec5bb2fbf499496cbf89ea223e5d8

SHA1
625e284eb44b3e598e59a3732bb947f374c9750a

SHA256
71131bd3a76a51b0dcd767e1c620d7a1ec1db1860c23f0c022ee9a09379f31f7

SHA512
36be5966e4f651283c94ea4964a67ead3882460f9c0549aa84614dc8c6cd761e2a85d5a98db02b82ec89feb3353be0a24d8ee57a3a5067c6766e79cdd6adb33a

Download Submit
C:\Windows\System32\alg.exe

Filesize
819KB

MD5
17acdccdc594b2f18aaaa0b272f5a65c

SHA1
d863a6fd79f277dff8f4dd46652c82e860d5e43c

SHA256
a17624eba7533522923cb04098a2162f7a49317b7cc4bd170960afc751db0835

SHA512
fd03b3f8037b5fead62d4a019f434f0001e6497034a424eb1120078e14a5f045ea470db5d3d15842bb6451ad0bc8895bc32de8c1441c49cc7b8c01a2656b2645

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
654dcefd359dbf8e42e044bb242d75ba

SHA1
4451d33dffd2c002000f6e04141dc91f86dc096f

SHA256
8272c9ef7fba24d6a984060c9d7aa12385fd09d3ff81cdb8496673540296bbca

SHA512
6eeba4a3d500d5dacc9a8d5bf0571c5078ccf817d99d37b2bf964fc5a7237a7b0619c57dd6a8dea313f5dae8bb46af39c39d9510ac1bde0ca481584f5511f1d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
211KB

MD5
df58bf844731b9dcdc03699e9f93ba3a

SHA1
590bbc70839e1d0eab82b2c9e0f96cf2375db79d

SHA256
1be6630d6cb42c6ab33f758ca779f1ce917cb893f9fa5fe5d78d318f383a4c43

SHA512
a502ae3c75618297a0ae81227fc967c2efb635feb64cc7a082107616e9bef1f680fba6332baf60c13edbaa261976d028d4b8574be112db8a968bdde65f653a80

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4a0cbe6b05460f9ef7a4f6529d536aa5

SHA1
c4013250fba15c20426552a0121cdd38305b922c

SHA256
6df8e83c726c182f8e07a19160de7b68de64f206e69a07f45b5f7dc9db1aff56

SHA512
8a6ddfeb2bea198569fe15598305e277f96e6c72525abb9ff2f1f1b4450da0ea9ac9d1e3095758de9b8525307d3a004ca5f8a8aa1b540b05a1f94ac6660b41bf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
297f4d61bedfed312a17879755a18696

SHA1
6b8e0e892520b837c1e862f279fdb2acc2ce1d05

SHA256
e307315ea646a1523b5d357c08962e6123f1322afe5274da77b52b8c59f2e4be

SHA512
0a74dc44a4361a295bd096c67e2f4ff575e48e21ab76875fbf2631dd53eeec333ce1e8284fb51f8ab0a4ef72ddce3cbca65acafc30f55e47562805551cabd437

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.8MB

MD5
6f726643d1b24d961453030310217f85

SHA1
6a37d58228d08fb8fc8053519aa6afff1f4ea828

SHA256
be85b85c94e58b6cab43f242382d16a828a1a03ce88385d5dfaf1ac94cf1269a

SHA512
bd777eb2222191d1abcb516531ded6913ce7bfdb68a7f4fc674e1334b7de22bb46f9ae9c7b5cb17d008c817c57a7ee403bdda8240c30e05a3bf61a892b424dc0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
1919eb3d9d55cdf851e5cecb06c8639f

SHA1
61e7fc02615dae4c8d0f33b5a085e5e4fb9124ce

SHA256
4df78aed0261bf0a14cf7dfd00dbd0e2fa7ad5ad9ffaafbe7e32a56eee2ff97b

SHA512
d4e8b74b5b554c2aa66d09037a899485d147384e8e0f2c2972c7b56175a36e8057e5bd82e0c7f891654f8b3fc188cb1e38180fdd8db5fdd75245ecf18e6bf0cc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6b0261c34b54d107068f20e19bbc12e0

SHA1
a1f80586474316b2af252772caa57c2cae008ad3

SHA256
9e696f0c8c270f52ae9289a8846f54fff0657c9d41ac3a08b3e56cf0d7806e2b

SHA512
8a48efa1260145e130208d46f637d84c435a1cf8ba7917819f627ddf7028970bda60975212c5c9a1faa6934f6c0caf45d02f5359f5e14d00d78702787a44480e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1021KB

MD5
31d64cc0fc295a88e9c87e9c2c25cfa5

SHA1
3c5b0db8c12b4220f9d5f548ffa95b112af8068e

SHA256
8be2c0dbb0531eb5eadb8bc8eec1080b601fbce2b0ac399da7e3e47e2590637e

SHA512
855e23f2ca6ef80f58747d37c679270058706c148d5412e281330519711c94f846150b935935a4105c4c5c919b4247d219e74975161a18d90c0e5ac84fb02bba

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
0b02101edd4ffc59f2a5b1b12b5f7c98

SHA1
3baf96806a59536fa7b700fdb581bfa7ab1d7d00

SHA256
91dbd4bbfe5615bd7b48320ff6bb106db1c214f16be31fb87e91860cbe883e7c

SHA512
177378bbcf35a07c139d6d8ecac419da883042ea89eeae5b31d5b6d1588c0edab7c9494de52aaf99cbb13eee5e6901f60730ebed91602f5cea80d2c9b12e8422

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7d235c42cf2c487f688f04ff55799a02

SHA1
cdeaed776cefe4aac9486fa020ba20af44029f4d

SHA256
0ba12cc619fc56d2970c98a5477d6f938432b3ea789ed56ed398f6415eba2fd4

SHA512
9faabc8ea9d1786a3116bd3fcd74fc75f5b1dc2aad9bc40f0e8bebd20fd3c7243d518985da392ac2a44df224be319f49d0b270cf87686eb9736908fef29e2901

Download Submit
C:\odt\office2016setup.exe

Filesize
678KB

MD5
616b0bfad3c146c8a41998011e34662e

SHA1
5c449cdcadc59c4753cbc46c84f6c1205b3723c7

SHA256
58e482bc1570e609a7ecd87a1419f4ac96cdc7b2de514a3ac62fa44dd2b91439

SHA512
425829aca694cf2adce95132f3b1ac17945f7589af4f652cf8529430577419ead479446fa4b6b29a448fbe11c0378af05397b2d269922df284097c724f9dbbce

Download Submit
memory/1244-145-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1244-138-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1244-137-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1244-219-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1568-11-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1568-18-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1568-12-0x0000000140000000-0x00000001404BE000-memory.dmp

Filesize
4.7MB

Download
memory/1568-90-0x0000000140000000-0x00000001404BE000-memory.dmp

Filesize
4.7MB

Download
memory/1636-474-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1636-223-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1812-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1812-104-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1812-108-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1812-112-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1812-92-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1992-193-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1992-115-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2396-114-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2396-25-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2400-484-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2400-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2692-228-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2692-232-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/2692-150-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2692-161-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/3312-59-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3312-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3312-96-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3312-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3312-52-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3508-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3508-482-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3516-487-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-505-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-518-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-507-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-511-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-499-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-477-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3516-478-0x0000021C92BF0000-0x0000021C92C00000-memory.dmp

Filesize
64KB

Download
memory/3516-483-0x0000021C92BE0000-0x0000021C92BF0000-memory.dmp

Filesize
64KB

Download
memory/3524-2-0x0000000140000000-0x00000001404BE000-memory.dmp

Filesize
4.7MB

Download
memory/3524-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3524-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3524-28-0x0000000140000000-0x00000001404BE000-memory.dmp

Filesize
4.7MB

Download
memory/3532-125-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3532-205-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3532-133-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3532-121-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3536-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3548-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4304-210-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4304-465-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4304-220-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4584-166-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4776-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4776-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4776-206-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4832-35-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4832-42-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4832-122-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4832-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5028-243-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5028-179-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5072-159-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5108-175-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5108-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5108-464-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5136-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5136-486-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5196-245-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5196-498-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5292-500-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5292-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download