ab5ac6a0caa858c5e8ec58bd98a8600999e149d04301c37b83914eb76974727c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
Size

5.5MB
MD5

94a1a07af0661c7685a9234c50644230
SHA1

2d59b799eb1e92da12510786746169e69780ae46
SHA256

ab5ac6a0caa858c5e8ec58bd98a8600999e149d04301c37b83914eb76974727c
SHA512

1949e49444657d8ffbba9e990482fde5138c8daf33ddc47fc4cb98891effbc9ed1f4c93c5e09201f7b5ff5a5938ea55b435de74a27a31ee8a2494f06682c44de
SSDEEP

98304:IAI5pAdV/n9tbnR1VgBVmmDRSf+Aego/gR:IAsC37XYVDRS2ngo/g

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3020	alg.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4228	fxssvc.exe
1960	elevation_service.exe
2144	elevation_service.exe
4944	maintenanceservice.exe
2908	msdtc.exe
3320	OSE.EXE
1032	PerceptionSimulationService.exe
1564	perfhost.exe
2972	locator.exe
1264	SensorDataService.exe
4352	snmptrap.exe
64	spectrum.exe
4548	ssh-agent.exe
1084	TieringEngineService.exe
5212	AgentService.exe
5260	vds.exe
5316	vssvc.exe
5416	wbengine.exe
5512	WmiApSrv.exe
5620	SearchIndexer.exe
5868	chrmstp.exe
6096	chrmstp.exe
5336	chrmstp.exe
5944	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cbd911bc4d74bb6b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c8e6bc77e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275ad5c67e52da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003df24ec77e52da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e15b3c77e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000735451c77e52da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
532	chrome.exe
532	chrome.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4432	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
4364	DiagnosticsHub.StandardCollector.Service.exe
5864	chrome.exe
5864	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
532	chrome.exe
532	chrome.exe
532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1372	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
Token: SeAuditPrivilege	4228	fxssvc.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeRestorePrivilege	1084	TieringEngineService.exe
Token: SeManageVolumePrivilege	1084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5212	AgentService.exe
Token: SeBackupPrivilege	5316	vssvc.exe
Token: SeRestorePrivilege	5316	vssvc.exe
Token: SeAuditPrivilege	5316	vssvc.exe
Token: SeBackupPrivilege	5416	wbengine.exe
Token: SeRestorePrivilege	5416	wbengine.exe
Token: SeSecurityPrivilege	5416	wbengine.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: 33	5620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5620	SearchIndexer.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeCreatePagefilePrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
532	chrome.exe
532	chrome.exe
532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4432	1372	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe	84
PID 1372 wrote to memory of 4432	1372	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe	84
PID 1372 wrote to memory of 532	1372	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe	136
PID 1372 wrote to memory of 532	1372	2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe	136
PID 532 wrote to memory of 2028	532	chrome.exe	87
PID 532 wrote to memory of 2028	532	chrome.exe	87
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3588	532	chrome.exe	133
PID 532 wrote to memory of 3236	532	chrome.exe	132
PID 532 wrote to memory of 3236	532	chrome.exe	132
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131
PID 532 wrote to memory of 4260	532	chrome.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2559758,0x7ffdc2559768,0x7ffdc2559778
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2144

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:1
1⤵
PID:2108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:1
1⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:2376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:3376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:64

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5244
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:5908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3692

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:5216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
1⤵
- Executes dropped EXE
PID:5868
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x290,0x294,0x29c,0x298,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a8
  2⤵
  - Executes dropped EXE
  PID:6096
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
  2⤵
  - Executes dropped EXE
  PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a8
1⤵
- Executes dropped EXE
PID:5944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4104 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:1
1⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1960 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:8
1⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:2
1⤵
PID:3588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
130KB

MD5
be11a676500ab24d5b51fd4e96005ba4

SHA1
23348b11a8e4d7487bc15aedc795514679100de1

SHA256
6394f15f2bbba3c9d2a2483b0dba29015f0f753c96fd1ec08d1bc5db3a3fa993

SHA512
fc082f6ffb02aef0bb814ef7d3d0dd62885f30ffd150e4414418463fcdd734a617a81ffa6b510dd4980ceb3f6b94a3629fb47469e13023130bfaf4c70e8502a0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
95KB

MD5
7ec6bd0f47f8cd8a9e1e3675883c0588

SHA1
2ae436a1587c0de1342afdb0fc73f33c9d5407f9

SHA256
ea2a9f7bd5060bf418ab520b7be0e11764acd6904b66c22944e2a780efc5ef86

SHA512
ec5bc27c11e84db6eee9e4771ef104e7ee81d69a3e5cd8713a1ac058ca00748cef529970158391eb4b9cc645f1f6fcd6ff767d1de21234cf8da8e1a00e1b88e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
208KB

MD5
7d274548c5eba791a34bac459d7ea8ac

SHA1
5ca3f24a5cf33d84fed830b8bda68c77bd6db28b

SHA256
8173b794132cd17af113cde599c0f48989577e16133711939ba1e82207907e51

SHA512
5fc358a062680b8103bf7b1364293d8b42db1cae84079544582a381267398fc7deed50dd5bc6df14ff3d73a3f5070e9a20583d5734f82827c10690fe4accd43f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
441KB

MD5
4e21007522ada3fffb0e5f4b5c72f1f5

SHA1
98193691ae8e62d3ecef440efcd8a70ddc6f0dbc

SHA256
c1c4cc6d11300bc70d6c0c54f2caecb42db386f3674509de772949ad0a7c22fc

SHA512
2f9cd57cbb293103f94ff5c14734ef72c85766e01e239a790013138bc079372e0e8d326597e9bb45b3c02f5d3e0321ab9e5d57a56c917d7664f9fda377dc1754

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
564KB

MD5
77b50a2817f51e2d3a739c3e5fae45e5

SHA1
30268574bbbd74a2798d770b846fa1fbd26d788d

SHA256
17e8b67186c56f92f1e11dfae300cd64896ef3031a7ec1c7d0d4aece626d84ab

SHA512
3310cc696b06353969bac1d9b2c93f261cb9a28032d60be1652992c4876f26ede0a3eb2f74fe5bb7559978947febf0763a48c344b5e269b1807f712c422f8617

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
366KB

MD5
bb254362fd530357dfbe568b51413a9c

SHA1
e19edeba5dca00fc7fadecbd6dc45da551a43dee

SHA256
75ace72f4884ec4e621bcc9340eb4da3f0f1b1e5fce81d23ac0df7d24f3e2b33

SHA512
46787a4317b47bb303d8e077f3c90791d1ada1c04b7748881daeec378a2b299e6ae037bd454c2ef102f4889374ebdec771e8c71568db5878b94174ac94b415c9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
519KB

MD5
cb5078b88e836f767218f086fac611eb

SHA1
db59296b18e1c08a2073455f62337d31a280c9cd

SHA256
70cb429756080836eee679a7049a343d4bab6b6cabbdc404e7a4826fbe17822a

SHA512
beb70ec97cc7297119167767f27d1eada076354f1e8b44733aabef208d52dc1008c4516c18017e189d1ad017284f25804b962f253ea90046997a5defca068656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
454KB

MD5
fef010b528854d642b566de3f35d3ff6

SHA1
514a1a7150bb2831b451d565f34b7b4dc721c2b6

SHA256
60acf5128f01fb636dc0b86575f4d9bf041e6d7bba53b09c8bd1502206b90afc

SHA512
f42da095e392187eafe24d283733eb4d3f6f46c4430c3ba02a0640a651def2abbf48e995c01a415ba18d9feba5855c8d0d79c101365bb6a8a953713364aa1e59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
384KB

MD5
e605c4d0f53796003ed4ff7fa771c2db

SHA1
5f2d26ea473b5caf29deae704e88ad847e8a3a53

SHA256
7747fba27c6ac2fa9d1d5ac9a508632184c28271e6816d9abc6a98d293bf1239

SHA512
9df9e14c56a012118c2a1b7f94fcca4d22af7259106c9dcbb2c004d17855517c0204f230ce07dd3a1a5fca6b19cb0603267da2dcd4969595a6dda03353a3f178

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
389KB

MD5
349390887e48ba2e65800e3d68019c02

SHA1
9f638330a5ac991fd3125c3bde4a30c4eee6425e

SHA256
399438b1fd0a1dcaced69e579bd03c7d53b6825c40bd20dffe7d2823fd587b8d

SHA512
9fdfe639bb835fd868d328a8a6c8e29ff4e95aee9e23d47937c978ed7e43c02c5a4a3f14dcb6c93679699caab64914e8af668e297147ae45bc14ae51a56b8440

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
388KB

MD5
dc6592a01a9efce4fb33e317562e048d

SHA1
fbac3c529400dd342811bd5b9431ac82898756c3

SHA256
5f7f7a50ef6bd0797cf0207f2ab782ccf5d11dcc132ea00184df855721384b26

SHA512
4379d5424ae51d45c30c484aa184d6006365368e017a1aa5e30d7ec9ed83ad48e3a2422f2992bd161718d8c7173bd3142583255a98bc193a36b9ea0b419da932

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
377KB

MD5
2c3af5c23c9ad8447414c958c9843443

SHA1
46576eb9447adf4569d1618e2d9f796269a507e4

SHA256
a32916f3de8140233f80c636ce1605e1559b55d0b951fae2e8ba45da55f5ffd2

SHA512
5b2c73a5f3cf773c4a6da7032b72a72192cb18a5d699356b2c9050a3c42afc84050cb9ea6622710f7bac9c78fc5244e33f2d7647b74cc2c676f16a1c36d02ee8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
405KB

MD5
d3b21616f3716c8d60ea174185e15432

SHA1
ab031afeb216243fd32cf91dce0aa9098710e9f2

SHA256
f2139ecb293b7b8fd49963092b0ddbf91cd2a2b56cbf0be90292ded12cca132d

SHA512
48b2e2c7bec4f4112ba7bbf48c717a7bd1d9e65faf728687e5b580a335222722d9a97b5e21dd2a3db33a60ce0ed5c42d8bb69a80a76decc4218d0fd565c3af34

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
21KB

MD5
a08de22e0e3d8040823222cd5aa7dd45

SHA1
6da69b47276a1252b9ad4c9677a01f26173c4f5e

SHA256
4b2a5ab884576cc99a5df65744a5dd89ec78618371a3ba9faf07b6ab1e3c3bba

SHA512
c3a1f5a05ab9b287300daf74ea4b0916e2c1b1b922d9464757913dad078cdfad34a5db7834522faaa612e755918dd600288934fc7942447bf40f9d3c0e1d4ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
325KB

MD5
0c76df2ab0249b24c440b38f157754a3

SHA1
ecd9e93f14a9b9e60fca20e173e9b74071c69a90

SHA256
66aef226cc0e60cf64abb89958b48ab7f76d103a2f9f08ce953c21ab099ca4c6

SHA512
2aba4c281efbd98a9b926f1f650abbdf8c43f4e92f0046b1230254177867ffcab2c9eee0cc7984819191a0ce506133b44114ad0d974abd44035a43aa19ab2d3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
169KB

MD5
d7a4d22abf87b7e863d3e8d3ec5da86a

SHA1
a20c3e3843a039967284228ac50e5861ca879e6f

SHA256
36094fa333658bd6d4ee7681d308bfb0ffecf1faa02028bd88fc96e4d4d2ca41

SHA512
7b2bfcf35f76941c15318c37a87fb6380b9351bd338f10e6239b030809bfd1ca6b7b2d95b16486e9b78384fe625f107a33d2a1bc621e76fee704c134dcbd0a0f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
17KB

MD5
7bc7a9c2d76587742245a7e85d739c07

SHA1
4d0cd6a3d9d155a6fc70910465898334f22821d2

SHA256
2e0016b2904af27c4f375deef4de3560553bd9c0e8b98130be51edbcf101145c

SHA512
cbec6b6d708e285f606c587763603a6b7d8b0dbe99ce4723163380f80d6ecc937e023bf57ed7e043ae8824a60691d8212c13c888f78c646690f26d4128697cf4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
24KB

MD5
c6d1825f59e7b6ab82fdc44bd8fdaeaf

SHA1
e4c22de5ed398caff3f1c431335b408744c3012b

SHA256
c411134b037d765d0dd0ee69d27b5e1fcbdab8a486bf101214f2a29bffeab9e9

SHA512
2e6d9784882c7648cc62b171fd073d0ca687b9a6c8bd2ef4f1e875c978d402fc80ccdce7e989c5565af539957aedc759231b0967de60da828ca8238a83c09723

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
142KB

MD5
e1b91f6160f141315961aaf7eeaadd54

SHA1
f2112ae54e82fe89cbf7a6f5df4022b5bf6ae2b1

SHA256
5430912822afb0f47015be4029524b5dd804bf7a78455e37db75cefab40ae08b

SHA512
b4e78d48eb2263421d2339dcd592c1ba7ef86da6d0edc5d00b1aea34de6d59af51d502b06dc07099f74800056313541d090b5bea846ea158156d5425baf124c1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
33KB

MD5
cfba62f03d7e8354f04e43f8de51f108

SHA1
4d1f404049ed7e2f746ed7747213e07f1fca096e

SHA256
45ccac4633776d5606a06be2721a5e23d4b0e9be46ab353f33a9282cbd4b8157

SHA512
0b8a64c5af4467e1d10de2d44d2d8d9dd048e52070ed181108308e497caca367c30533556c9d1245711c64e36b5098d97f21bf2d81c9df87610815af08d798f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
45KB

MD5
d59f32b5da6733609e80cdad399cc2ec

SHA1
1ee2a0cf38682f4f63caf28359b120582dbd8d32

SHA256
32b991969636d8228551e9106248c94c6d517b5f9172d730c1ea40af750cc4e4

SHA512
99ebb07b92c87b753db54a698155b3d0208ee67ab684cfa639dcd9cd46465de1aef078183ebf3201a16c1234173da77653357158cdfed6904e6f6f23c921cde3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
198KB

MD5
3ede6e385071536a3faf88b7e8bd7cec

SHA1
73f750e03612f9c70de59278872d21726451cac9

SHA256
406de3ccde8096f774abc41c967a32165cac4f2ba00adbe735d84d9775bdbbe4

SHA512
b0dd856014788d3be1f89ffcd8126ea77d0915aa7c10fe282b7649257650d1c7f4bfc200ba3d3eb1f999528a9b0f2f7c7e6caf943c7e388acd779f0405f44bd3

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240129064538.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
218KB

MD5
0302725ecc92a4bc602a0a683343c8de

SHA1
729fcb08a7c1d935d0fceeb3effa976845c67c94

SHA256
94daf7b6906758a4aac12b7b4130ff3ec145e454725d5a13127c2af5ab44ee03

SHA512
eae55ca56c6d4aabc2cacb29a2432132228c6d9eb9cc684a218ea6510d4a5ed3a578622d55a47a0a8aef3acfac46d271507924b918a28c8f0c437829c907f82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bb2cdf82802bf69b297c9fae3fa48e85

SHA1
f26dbf7984929197238377b2b3e37f974447448d

SHA256
29998264d3f24068d6705e32cb6306f042797a0025aaebda57b3c581a49be0c7

SHA512
00535865805747cb5fe10f4f67872b52e94fd0ce51937f94a7662254027919b13df4af538557116cd4a8002afbeb295c601a79d5e64c8d2d2de9cf377eba1db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
34KB

MD5
b6035b97b704d2cf49f3c1ccf80b5ca4

SHA1
f236f8c344248486f675a40f6685c3f715c7f5b2

SHA256
f3de5ee5abfcaa271c5acd3702b687a1f6924e850c0be91c930286f9f0da2cf7

SHA512
65eea816e0e26127f0e067465f0164686e651a44be0f62fdf4a36bf225de3cadfe81ad8a6181b6990eb58953bcb91f093f55755644406ed54aeac5af0f6bcdd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
006b06b00e43b68c8b278919efdd266a

SHA1
c1ec9162b635953b2d6aa56fc57ece78ec082484

SHA256
6009760160886ccaf3da6f1101ceddaefa877558c520d18609db32e9c4de33a0

SHA512
4e1d716b94353b6a04939a8975b45b529fa3b5cae6f63b9d127e047403d4a05813573aa2c48ebb476e3c9fe0293385a13f767f4e1b42c4b669d0f96876528d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d0e490f343c07dfb4a79a0cccb420cd4

SHA1
4c41d82fcb2dc789088368a7ac442ea348b90d9e

SHA256
2fd32fa452bae831d9ed0dcfa8a80264e2ce347d4e9c01409689a26a9a947049

SHA512
e05fa3a6ab8a17717c13e457f52289e70bc07c104a588dbcfeb9f8826d379bd6951da0ef2149629b0a17b4939571577146aee711181db425c51938729a5c6cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
62a8b721b4112a3595a1054899cdcfb1

SHA1
aac146439dad10b6195c909eb98aed4a068d598c

SHA256
5f3a087f5c0fd9155603954a16afe3589dcf98af5263ce13930f049a96c50908

SHA512
992457a6da1bd51f2fe2d0b236b897899245feb32393811b11db1c522cbd0fa1d0ab85994c05556a110fa98ca86567606f0cb487f536ba56919251b2f3b320e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
419c71c2a6116bda9119b566a687d8cb

SHA1
6a7d5962483de0f6a89a54c2359599aba4cca241

SHA256
dcd3d59a2c6a13c5e933be7f6ac505e9a04959480c7b060ae9a4f6aea482a82c

SHA512
b67ba2f34909b0dcdc9c39d8b7f6ced584ad6eaf683d7cb38e65a05af5d6cd5098422911d89edf56cbae5d5d6890ec529ba8088250133c0c70741b8181ffe4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
189ec801c434e9eadc199eb72441000d

SHA1
9b224cb944b0feed2fe086ce7a4dc223a2054fe8

SHA256
aa9604c8a5c3fddaf39bea9b60bc7e137d500b0ad48dd8da98c66dfa0358293e

SHA512
2482b02443c9a37212903f5f5fff4b5a53548c93a4444a49d39a94327682c7bfb06f64c6265004576c8f4cb974e75aaeb35bfd97f58a2ab0b5bc1e256e4edd79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576e3b.TMP

Filesize
2KB

MD5
290e9802629398a9ba56cfb50ca5f135

SHA1
3baf9a4863eb4a435da55f93e82a8ebe7a9f0106

SHA256
bd3b2b7f2fb53d7f94ee52219c2d5bce2b8fc511ca64df36236ca30e77e74f2d

SHA512
4eb9a305aeea0b1bf7659dd87c24d251cd182b456b18b776f3f6686fec05586cc648614b8d9090685b7d023d61dfba1cd733d357e1b3962e6be9789b879f7772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
1KB

MD5
b5f0fbc7427bd47ae3427fa3f9eb55b0

SHA1
406a2851aaabb258d293a74a970d3b760eac61ca

SHA256
3b6fc0b507e856d3454b8099bb5609e3b878b2287b070e16cfe3af6f61250002

SHA512
afd543753bf20dafe51b5151c09f0ef4c5a033c0607c6fdc40f31da2efe6fba2f94f45db49b857b08576977d90c1bd7822a34c3c74d3341285caa2ac50c3860f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
f433686cba14fbf9cd6887dec413ce26

SHA1
f00db82825a6d84283090920f4df1fe2436e2f8a

SHA256
b6bca614279cac360f2eb0364e6544f40a543704e6b26c7ff241d456f3478150

SHA512
124fcebdefb1014f16c1977ecaae494dddf60556d2d7b4656cbbc463d7d0240df5025a04a3621e9f7bd68c54fd93f60a1865737e9176ba33c5d414f6f60cf595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ef6a28aae6c12801e402767120e0c4ea

SHA1
d98baf335f3452a2d5267e61b69e557a52aa8f57

SHA256
d87a7f8dd47125ab440fd08776066e21b56dc4af3179a41427abc114ceb46ef4

SHA512
b366acccb33d7c0b5f861f0a488b7c6c2594656af3cccbcb41cd808c645e283a07153e499342cc58de2a7d3824a873e681bc3ade44d1ef45122facbba05c8242

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4c06716279b1619b66d45222324337e2

SHA1
b54bc2f6326c1d228d162bde6aaab456d36afcf0

SHA256
6d7259381c69cb7663c3a6f6fc162886d34a6d53e01489775397a21fe5292358

SHA512
df4f32bca67333faa00fb9e99599ac48655d4765902cb904801c243379727d00a2a7f5055e6670fc4c93601a49a0b93b2e7d27d08ea01d42aa83bafe2656387c

Download Submit
C:\Users\Admin\AppData\Roaming\cbd911bc4d74bb6b.bin

Filesize
12KB

MD5
694d67f6a015c9d49f500935cc699a22

SHA1
ce6d19b1d0ac0bb3b3af72b55bb82e6d6414f751

SHA256
c07860401aa6d141952641292f29fc5860cec3d64f655de6f8204e467d75d725

SHA512
1270655c87e00d709ba40424fb71e49a6229e6257be1dc6ca5b26d99ccdb0ab6de87045dc8f97a9521a4a6b9af034adc4103c040308fc2c577861c22829cecdb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
18KB

MD5
bdf5900c9d14330c5f301bf0acb97d0f

SHA1
fa81d4c93ec338c8305d5a2a7ce7658a6a55b820

SHA256
2345b95f28f44a66104bb18ebfd1c4ba6f504e1ee71147d1d46ac79263e21865

SHA512
0895b36e6fca7ba92704055591867f336ab453421f22d7df5077129f6c956f54e41c2610ea8646be231816f29ac38a178434873fd21ba5ed81d7c2cfc89d95eb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
96KB

MD5
e194214974a458fd1b6bbec696170d91

SHA1
8bc76d217de8691688c6fa98ef6158b665da9f97

SHA256
6800a3adf2d79ac91471bfd3f83f37b9f3de6cd0ca2e727f4f6b9fdcbaaa157c

SHA512
1e27be4d4c8528ef8952f551415174cbe06f245f82cc810e2c64bd1fefb43da67b02dd1d0b498468fe3ab0b10c390d16c887d9fdbfdd4452852bbb56e68ad175

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
416KB

MD5
0d821fa407d01916fc68bf01b2e66819

SHA1
5decc774860ce2fe8eb1867aa75201f394a707b2

SHA256
5c8d6ac08925635abef3ccf09e62ea0fa3e61433daa98f5f549736c67229f504

SHA512
346a325b18996d25ace5c23f47584e4e3923ca42f6f2e7c36557158a0a43c6bebbad5fc1638bdd664fec0a3ab3f626f7f79ec9d578e489baae2ff2140de0be85

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
141KB

MD5
e5ed26fb0a14f10be75bc34ed966aaac

SHA1
2a164305511a47b0ca717b8086f28de05cbd45e3

SHA256
5912b1941932b105f87a3ffde99a0e67724e662b5235505936e71341c5e03158

SHA512
5fd7f769ec7e921ef10dc25e95b24b15899e28b12536ff3864a1abd079f2eb7d0d2a35faa5cabafcbf4e63298325267773ecd165fa28aa2074e4522ec69eba11

Download Submit
C:\Windows\System32\Locator.exe

Filesize
47KB

MD5
10d885dff4bcea27dd745907010caeae

SHA1
cde60db76231a373af2122205b9ace6adac42104

SHA256
7e0302bca5131897f1302ecfc6f5bbfcf858584da7ae674641ed0097575fe988

SHA512
d4c1aab3275b1c9417b89e35c27a83dff8df5f5132ff21a395f329a7dab5b6ff16161a03ba4c991e4475c387b27bfe3c15002abd6d2031a5e75780a6dbe15f68

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
61KB

MD5
cb07528a3e59a1237f4057c2b3a6bccd

SHA1
eba04c1886bfdc6cceabb4d80dfa7363ca9b5178

SHA256
8c86fef53d45320e2c638ad3fc9c9fc811f82c704195411b02c08c9ac9f600e6

SHA512
a0018e36003f7bc74758eba5d3967f49093bc28e3523f3f99c24f4dce2bfb7187ac1b97526795a159d87f3cf10e5b94c4f7cfedaad0c4fd59a80ed9d673f308b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
176KB

MD5
015d028654152fcd5f8e33ec3d9ff810

SHA1
091300276dfe13f1216929d125b33ec3708b8452

SHA256
04ba3a9d6c28e0b735b4980e94d51794e5a94c183e0155c0654ef2dd01b33183

SHA512
0062eb4f4bb09c12ec4900b6f90aa8e2f2aef2746e28e374408242dca8ce65cd8e7538babd224b81942cf99c4c47868288a7ee31367a0059b055459f6bcdad11

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
108KB

MD5
cfb92509cb6a55ed797b747d628f6692

SHA1
f7aa303e2d7ac39a891fe6229b27cbca7cdd20d5

SHA256
1fa621b69193ff9c8d3a33dea25cdd581a0ad1f2ac503c42a795e5cd36cbd4fd

SHA512
b654dced271b9e7757deaa5b9d541e890c34c86ac5b5058b3580873c128cd1b3435cad2def6c4d5fefabb25498c87fe24c6795f93deb544fd7b3ec965b71c1b2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
100KB

MD5
641e8818f3245b548435dcd3802957e3

SHA1
d048ce68758cc797b3ab3122e5e5b58561c76758

SHA256
417caf44217087b36cc8f62f66fb2201e588504bf9517885e91244a434b03484

SHA512
628aa55701d518bf54f558b3f614d555a47f3057a30aa3e95ccb5191e452a0f9eee61a86706f472706b7a490f633893c0519b1c464965d599c62876f81fd0bc9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
21KB

MD5
9e051e2611880e2fe23819631b8464c7

SHA1
64727778c6b7dfe1a6150f08f2a513fd8829722d

SHA256
5798a36e08ef3488dbc1d29bcf65e1cc7ea34c443434cad905cb8282a4aead24

SHA512
b5ff951d795721e3f880983cde996fcdac54c6dcc92b3fe004193a831819dfb019fe5e054cf068c5af3c3dc474bba8085aaaf8d40d46e7cd46cb15e50dd3415d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
684KB

MD5
def16a8fdcf4a5c9e3af602cc1e7a74b

SHA1
3e5df3d16f7ac650c3a7a0b9deef0394ab0b686a

SHA256
07225282cadd6dbf2b950c7f231657898e7c070a1369b104cdb58f2647d096a1

SHA512
0fa601202ca94213e65c06f8d9ff0d0acca4bbde2386b29e2e89e442a260c144aca518e5104c54a37b7d9364823099258dc1dcbb70d5df960b1bdf92f35d02c2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
107KB

MD5
1b8d86af1014b6b413db710f5d3ebff2

SHA1
8c145a695b20f758a28962c8b6fc08b7d65fa494

SHA256
fdcb1a2d171ffe248cc835509e1c43278d409de23f80ba43c9566a3594bd041d

SHA512
c3e7dded24fef8e44b62f47bd4150e9a02fcbb938c37dfe6479f20f411e41593a3fb36e42896e154ac622ef612267044c4bee459622df4aec7f4a098733a9f31

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
155KB

MD5
cbce59abf6dd0190675e76398b0595ae

SHA1
8de4df72c32865f73e1a8a7aa5292cc86b84138e

SHA256
9d21e0423bb8ed2eebb4c9dec7085ad72bacb70859e6e2531d498bf4e5acfdfe

SHA512
6f10f497200318ef15b1954872451271d502698b99998fd1cea15eeab1f1aa634cf7f7589fec1c761c70bb03cc0017e978fed209521954cb7eba77684a37ad1b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
48KB

MD5
f5fcc6fc699b74b07e3dac3a6ed52329

SHA1
49d689bbeca12cd7dbb2fe59de0a98b7e5324b3a

SHA256
c023b17b60d4e31e08abe78058d7a3fbc807c827520b457481a7090ef19c35fe

SHA512
1a84939758408eecb83fc3793431edee61a51c5be52d88aece0d47b432e62c9ff9acdb864f3b0c3bc842edbdddc40370b34b2d02adcfaedb27e8a66783860d2b

Download Submit
C:\Windows\System32\alg.exe

Filesize
629KB

MD5
c8320e2de83b1e688dba51f620fa2389

SHA1
c06b6f1cdf831cee9a9379c60ce60bb4ddd0062f

SHA256
01e8a25d22ed251e558c07c68cc5c08766953241e5d7ba642f9eefc50ee2dcfd

SHA512
7b749c5b5af633256e85c0b4501458db45b9837b81b79977cccffec79efea7cf5b6a748d7abcf7a662f30512e7dc93935da32b1ae2c7a8fbca51f363a29a0a65

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
335KB

MD5
b684cd0a62051c33df47eeb341a39652

SHA1
33e9f91807d5d245cb02a89a841e12ec88a3859b

SHA256
25e68e473f074fbf9b70b8a2872b4c47ff42a770ed06748b16949fd547428bb9

SHA512
5a456f5ffca5785ab7296b637ea865a0868d9977f3708a63da7efdbe4da40e2d79d507962c778f11ff19dffca6771c87530d5d42ad8120cc6b75ae0ec12779db

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
41KB

MD5
1e3860cb3a8777b4379b83c3fd0fa7b4

SHA1
e53ce3d3c7ecd6d97fe8fb0ac6c93dde352cd1f7

SHA256
7f4cedbb846f73117a53f362cf0aef89f9397890e44cbd0a6d3de1ad4ee75b31

SHA512
05976e3df9daaf2634f19c3536e8514cfb07d2b8b842cf2f5a91ce607d881a3b8aee3719d1cfc7deec744227895cf60a689879ef2c9d8da62fd4b14d611b5141

Download Submit
C:\Windows\System32\vds.exe

Filesize
157KB

MD5
d73376a9befe0fe8ea5021d789870481

SHA1
c8b86f89b5f9975681cb1016206dc410884cd6de

SHA256
e8089b985499e614663a57b55f7c3373c245561535f4744d019279966aaa6d46

SHA512
af8e74126b0a8a265a15c62c164501f04cabc961410c0e607a054a0d870190dd5eddac8df0fc538fbc550faecdfaa0f0a853f8a36119411e8889a04c96fcdd0c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
109KB

MD5
33c515b474a90de91d62d13c40d14792

SHA1
e731950b113c7aac825835817389c37f7757b40b

SHA256
165864511f79cc3860aba2d02a6882c00047aa9e58733beb7ddf5d6aa3416f41

SHA512
0524b0342da80b186c2f5639dee8e276e6db9cb5874e8aafb810f32e647334a4789b8d809e7023879fa6740d2e1550fdea10b721fe7bb189760736404622d033

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
34KB

MD5
dfb25069b9f6a8227faa4bdfba17ac9f

SHA1
57484871b5fcf5a503dc5c85cfb2404916c3be0a

SHA256
813e7cb83d395a84cdc831513f554e82fca7e516171473c862ed6e02b4fab3e0

SHA512
641c80fedd1d945884444f0c2f24ce03de257eea9d6033da3c63ad4c52eeae6ddf9cd4ee4b27246325bc29f8cf9b13be4ae5ab4d61179a6d6cfeebd91b987c95

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4c673548cddb6b082f48537ce42f0278

SHA1
7077489247ee9e8640de79562dcd484db9f950e5

SHA256
2727141051205cc7df3e821fbc031eda6187e568a3507ee24d00062678d9d666

SHA512
6ccabdb781dc8ea917193221ee4a0b8b03f573eb0055470e68a5eba793e5a501a48ea3b0044780160ebd922b13159a23ea8f9c07d8956d612216291573bfdbb4

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
647KB

MD5
6c29fb576dc8d033679dd54a098b95ab

SHA1
32542e7cf5e3d7c3ad93896845b551a3183732c4

SHA256
82ecd0514581e26bca061bf9c36a988a4b87c91fb766820a0837a4a1eb775afd

SHA512
741d5a30bbad2300da61b4dd9b632257e8764bbc03cfdde501423234ca67990c066621657c7ff852ee0bf63f3469c62fe7a957a125e1b488fcb615af8fbf35f1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
320KB

MD5
009e05d04a82cec03859dd71de2f3fb1

SHA1
373971e2c2ef52d39d1ca8601b36b865e1944c03

SHA256
87e3cc2e1a9a5f0f5a676d348205cbb97b18bf9ea8b131bb4a63d9be29e255af

SHA512
35ec12a8823aa0f6a8f0e16f1e8d0a19390c3fbac3b818c536b3e527b911348615c7a315d7c27e37fb1c6dcc8b4305f39c5c229b3a52b86b1bd7a6a8b99a9e62

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
357KB

MD5
60f83675359df07811a05645015b5ff9

SHA1
0692b22a3cd7b2fcbca7dfe5c68a661600982b1b

SHA256
d90d98da209584a98e8f5178d8c4abfc2a9721654ee4ecf9491f22720e1862c3

SHA512
ff3174b0b8371edf8d5b615e2897b80838216b4605f7576c79f250be018f8a961c26205ee18e8e06716d182f00a803c1119c03e37a2b614b7cc10138adbc45cf

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2c191bc949cafa16da3afa28ff4819b8

SHA1
6a4fb93b0b145d0dccae605f3b07d02460036fc4

SHA256
ba2bd8f27de02d8f11312e636481f54d3cdf7bc129571aa1ae07d9b54ecf0e4e

SHA512
df0abebd3ed4a8f7ff363d8350f6ce6dc1281ca3e8074499cf283489a65e5e4d9663e90cfa0ec9c37644481cb4a7952a1ad36cd895db3172348620744dd7595a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
637KB

MD5
1faf836fe0395dd023f66da85c82e546

SHA1
beefb66856e2b51752b42d51d731d9c7e63d6405

SHA256
2e45ce9f3faf487acae237c1a800ce45462fb266d29969665c9e346789ae24f1

SHA512
8ef021d15407ade56f610bbd3292fb2f246e53c52092a275aad450f237a15871ff7503bf9262670e336b3b43b19ac6e8551d50c45c7d13cc00e9ef91aaac7da1

Download Submit
C:\odt\office2016setup.exe

Filesize
222KB

MD5
95ca3b3f36d78b3c7732f01890a5213e

SHA1
532260ac22b0f07f4a6dd43690e80a37b72094e4

SHA256
df8a71d3ef5a09b85c2b2f9e473d7f5dff519a70026bba0072b8bb3671f4980e

SHA512
46a234b4aab6502c84aa55d51f60929872a096726d2c3a2e8d36b45dfd25747ac585aab9a81dd995933527cc7dd0115f17bb742f11a4ec9d933cc6cd1424af8b

Download Submit
memory/64-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/64-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/64-181-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1032-133-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1032-194-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1032-132-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1032-140-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1084-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1084-416-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1264-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1372-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1372-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1372-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1372-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1372-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1564-155-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1564-146-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1564-205-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1960-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1960-121-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1960-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1960-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1960-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1960-126-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2144-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2144-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2144-154-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2144-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2908-170-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2908-94-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2972-212-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2972-158-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3020-16-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3020-89-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3320-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3320-125-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3320-112-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3320-180-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4228-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4228-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4352-220-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4352-168-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4364-91-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4364-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4364-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4364-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4432-77-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4432-24-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4432-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4432-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4548-400-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4548-185-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4548-195-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4944-88-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4944-76-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4944-84-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4944-79-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4944-92-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5212-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5260-209-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5260-446-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5316-213-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5316-456-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5336-449-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/5336-469-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/5336-468-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5336-430-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5416-218-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5416-460-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5512-513-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5512-222-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5620-226-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5620-520-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5868-405-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5868-380-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5868-500-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5868-498-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5944-453-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5944-458-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/6096-408-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/6096-424-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download