85f314b2cfa33977135781451180dc7e13dc3a77134eebe1469e38934dedfd21

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 15:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
Size

5.5MB
MD5

0a623f6b02bf8fca8c4b72122381c267
SHA1

bc9adfbb6a573b50d2dbbc6f673c3f8d722055b7
SHA256

85f314b2cfa33977135781451180dc7e13dc3a77134eebe1469e38934dedfd21
SHA512

9ef7c1a5617ca545e644670b12aadaff8f25970c2ed1bceae7b08903bb4509ee403dfed98699ff8eb1ebc79d6f66812c8426f75e45980ebb18b1203fd42240b8
SSDEEP

49152:bEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfY:HAI5pAdVJn9tbnR1VgBVmOar/5k

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2192	alg.exe
2388	DiagnosticsHub.StandardCollector.Service.exe
1372	fxssvc.exe
3008	elevation_service.exe
3480	elevation_service.exe
5004	maintenanceservice.exe
5044	msdtc.exe
3168	OSE.EXE
2512	PerceptionSimulationService.exe
2516	perfhost.exe
428	locator.exe
228	SensorDataService.exe
3024	snmptrap.exe
3244	spectrum.exe
2432	ssh-agent.exe
5200	TieringEngineService.exe
5324	AgentService.exe
5516	vds.exe
5664	vssvc.exe
6004	wbengine.exe
1892	WmiApSrv.exe
5464	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9f7895ee1f063bd9.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A187A4B0-CF7C-45E5-A279-8E9315C5F33D}\chrome_installer.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\java.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133510165408357585"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0d48dc8c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077940ec9c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f021bbc8c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0859ec8c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066fc94c8c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008398b1c8c952da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac728bc8c952da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
1464	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
900	chrome.exe
900	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	364	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
Token: SeAuditPrivilege	1372	fxssvc.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeRestorePrivilege	5200	TieringEngineService.exe
Token: SeManageVolumePrivilege	5200	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5324	AgentService.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeBackupPrivilege	5664	vssvc.exe
Token: SeRestorePrivilege	5664	vssvc.exe
Token: SeAuditPrivilege	5664	vssvc.exe
Token: SeBackupPrivilege	6004	wbengine.exe
Token: SeRestorePrivilege	6004	wbengine.exe
Token: SeSecurityPrivilege	6004	wbengine.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: 33	5464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1464	364	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe	87
PID 364 wrote to memory of 1464	364	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe	87
PID 364 wrote to memory of 5112	364	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe	89
PID 364 wrote to memory of 5112	364	2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe	89
PID 5112 wrote to memory of 3344	5112	chrome.exe	91
PID 5112 wrote to memory of 3344	5112	chrome.exe	91
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 964	5112	chrome.exe	94
PID 5112 wrote to memory of 4576	5112	chrome.exe	98
PID 5112 wrote to memory of 4576	5112	chrome.exe	98
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95
PID 5112 wrote to memory of 2180	5112	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-29_0a623f6b02bf8fca8c4b72122381c267_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae6039758,0x7ffae6039768,0x7ffae6039778
    3⤵
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:2
    3⤵
    PID:964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:2180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:1
    3⤵
    PID:856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:1
    3⤵
    PID:784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:1892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:5368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:8
    3⤵
    PID:5888
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3664 --field-trial-handle=1888,i,5827294579252064129,15787060264350147472,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:228

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x214,0x248,0x7ff72a867688,0x7ff72a867698,0x7ff72a8676a8
1⤵
PID:5700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
1⤵
PID:5756
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff72a867688,0x7ff72a867698,0x7ff72a8676a8
  2⤵
  PID:5804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3280

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
196KB

MD5
d447f8c74c1c10eb0cd30f1c86196a24

SHA1
a30f8618ba078bf4154ff76ee437dedc33af3f9a

SHA256
c7165c10358c68ff7a5839e0c3303a4bd8d7407a62c505fea55cd73b83cafcad

SHA512
d0fb5661381bf6b7b0a414495b3bc37090496b935f7c9221a734ef268d556bb1a25b41e9207d25f8f486fa07d607f975500983afd4dd0115f7ab8b4e1d61d4a7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
76KB

MD5
6cd5ed40c17ece3ffd2d69693d4ff1b2

SHA1
1058105c848da05c6fdd191c17e5421e5053e68a

SHA256
b9988584fc15f5a745e46aad0f3b804c4535fec820387e7e88c0bff63c60a789

SHA512
a63fed40133c8cfad89798921928b4a56122b86ba6d4850191605ffeef996ec38c4047613498546910fb6eb89f2cfb4b897610fa94810a07fda0126dc50ae4fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
455KB

MD5
ff734b61d26f64b0a299551f33841e5b

SHA1
0ca41fcab2396e81879817aa6177c2fe0bda8731

SHA256
97f6a5ee85c83ddffa460e380d945d7a4d85f5f866d73a8f2145042c5bc24747

SHA512
6ed29c74aa6677837ee1395416087c9c760def59a6f375b35544e80829ad663168af809d03a2521b072e5722cf3a3aad6f50307113cc8b4d989b2dcfa5f91b9c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
402KB

MD5
67b7bb4f3bcbc0c6fc9004f5543e34a1

SHA1
ed6f016b2b10bb1c8407d7838eb745ab13053026

SHA256
04676ca44aa519649bfafc766dc8efe545b6a9499d940ba618ef24c938ac4e66

SHA512
2fe4d5fc28c89f7fab51ffe470b8a44489e861b733e34f1e978d8dc3a8adc89368329c3097e697dc46f1e9244203ef3146b1b32c0bc3a70c695c864f5f0df616

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
575KB

MD5
c90f982a8e44a6d147d69645dfa85ff9

SHA1
c8afa1aeccdac0ed5b629dcbcedc2f58b7f02f4d

SHA256
3da76a3c16c03bc0d2335470c63988c3a37f1502b805b34b5d1a72db72f4aa7d

SHA512
20e35d15ca340223dc3eb0801f721b0bb2871f3a630874e03c1c678e1e549fabced0d613f951bb7363fbf6662de2b750b2d61ab0b97d82b687d0dc7af637c371

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
364KB

MD5
ff6f7034f44f4a7879dc51b621aec4ed

SHA1
0ca494f4ae46c3e65b26cc2f501ed206666a49cc

SHA256
09beab078a70e305f7dcc3026f97d60972db781dda0ec52ae6428fb5859bed52

SHA512
56637ecbb69dad8a8cf0d7781e5920983b22811dd997a54ed8676a6ca80f6b03b5b9aa7c0cad3f3b8181e0d28658f20470210c4b58ba62b2526a3a2c537d760d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
319KB

MD5
5b3097240e3913015eb53f15d64125fb

SHA1
4eec375814a7ee0410a6fbcfaea1e68fb131084c

SHA256
b1c98c7e44a030775557cd8dd2a9527cdcc14d4379454b0927a2523fa7712590

SHA512
fce34b9c0fb81d24c0dcccc77d723e9b53191ab66187108fd7211b5d698e3aae0b7e24b190bf83ce419fed838495d1291dbe91e9b1873c23eeb646a8b1f76109

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
400KB

MD5
87bbab5d62bcf06875c38411f93b7eec

SHA1
3b4eca8536c42d3eb5f10341e2d70cb49619b05d

SHA256
aedc3a138df3bf226d3ec65c78b2187c024446e27ca9995e332802f82824dd3f

SHA512
70682a0d13785129dd26fedc5d67600ca380e18146a1bbc22a1634b9e3db2217fb63fb695e35d58d81f13eafa61dc7386e1d69d7dae1dfed4e82e2d68c3bab0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
317KB

MD5
c7b3ec70ddd81e3282a1567baa23ed3e

SHA1
f8e4ca8b680589c2420965160ab9c9ea369d6665

SHA256
3da8f550af7de7e519cd21b3a59720d0da8d2adcd6e2f26f36c1251dc0f4484b

SHA512
d8dbae0d8e7e72036f89a6fb196e07b4422beef24d7325323f192f1be7692b57510a39adf51cb3589941f52f03b883ce9f4207cb5f877087daac656f3b9412d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
454KB

MD5
63a794b03e342239bbb8579d404076b7

SHA1
6ef6769e9fde3bb4c5f960065a6b44f87b9da544

SHA256
6db8ba09283169920bfa8a41953083a0caf715064e547ccf929c43b108ff8976

SHA512
da1feba2357f0ebdd2187fd86ca4a23371d9d739e6113a54b53e21e26cdb4ce51928378ef50467b8bc0664197e3a93590dd9eced467102e3e9aed7b095347adf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
429KB

MD5
1eb80732db0ecd7d0c14c74955774767

SHA1
614a501cb0c34bde772c71fe8135f753d5ab031f

SHA256
4cad23f83482719bf7667ea550f10dad7bbef9d3579976ae3b8153d1c2e9668c

SHA512
e8f595fb7b6b32c308ac760b5bb36c3cd65a4b955a65f807f15701e5daf9b31e5e54ad8e17875d4eb8d467ae22f8cc6e6b74124d6679300fac82a1432e40021d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
445KB

MD5
0c4f8ef6dd8b6ed1b7cfd9537920f1b9

SHA1
dc4a3d09728488e620a7c51c23b53dbcf0a247d5

SHA256
6dca5770cdd45688fdca6f60dc4742b10b265e2a4325888a71c266d870ddd28c

SHA512
8be220041120e6496756282e538f47ea2aa274a143a71b07389ad0435051b0e659038080374da30175cf65c6bf18ac99d096d14feed77741e3f5c9774ccbe835

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
349KB

MD5
055ea01353c491392bd207395cc04804

SHA1
8db0232ae3a233a4937cf38214e528eec2f47ff6

SHA256
b1b0a97eb280d69a86e280f4bec30bf631233d123e45bd787793d9cece7e63f7

SHA512
a1bf32a8228f48083268a46f59f679afb35ea60d993d0ce40b921834fb4fbb6ed3d372e84efe2440d92fc88ce5f7de33107e04b5ac302485e5616a4a69380276

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
272KB

MD5
5873a4ac6d3aa3647d8784acc03ec5ba

SHA1
2ad4a8761ac6fa120629ef8542e77096089cf62d

SHA256
3fd7fec03c5a46350cf3df514dc5d4b1cec10219a010f14dc54e9f5cdf4ab6ea

SHA512
2f7af0e50f5d4fb01dcab793cf3f6e1348128bd9f8eafe42600cfae34d86025ada6d5ff61ca53b75fa49814f3a14b97da7d08ce9cc6560bfa74247033f74f4fa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
285KB

MD5
798d8153d4de31e5acf8f829ae5a433e

SHA1
4544b4f450f3e8e84c345ef372b014670612f2e9

SHA256
eaf0f129884741ff3980066e78930714b5b69d9bef752475251130d73eae6364

SHA512
ec86785fe7dae727d08af4e97203dd174e3c7b479cfb68a05c41bb24a4af7f0256a514311ad1c7c0d313187f554af08e9c971e60f7352c4b102fadea7a82800c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
411KB

MD5
f8467a8d5cfaa7830b16298c74cd300d

SHA1
43d6ccac741d3246c1e158ef9af5fe139c24ede9

SHA256
7960d800e6edf554536fd29e05b497a331aa90478de9e3031bf4b6acecbd01c7

SHA512
756b6e1dbadad7aef94958bd05670a8c4b5d297372940013ae85e8fada96d7f94e3348d9d6fa657099019061abb9c0ae6e691c29d653aba6f234db41e52a3a83

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
237KB

MD5
4b9fabbc9dfbc15028c12d5cfa7de4b4

SHA1
886d46d86545d19c45d9ff4ffb01ba973dd974d6

SHA256
8caf573e9e0e27467412ef7a0ed3b65d8894ae6c4e840de3aac915c6cf312303

SHA512
7260d4560f63aea5ce382ff0981b7fea5f0b14029df375a35367c4bc05076ed88ce94b660f40cc1264ca406d409b9209df82544ec3433ee50bdd31af7d60b03f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
194KB

MD5
7c640f047bfed5c7e6d1e674e431cc31

SHA1
3f9640e71a33264e3a3c77f5bbb00f39eee261c9

SHA256
991c7ad9dbd929292845309953ce293a3cd2eb991db4d4b3d756888729639f54

SHA512
c728e033e3ac888c852a810b787b3795ea5dcda5a1796bdbee5a9a464f5aaec9dd0bc30d7cc0a00255b5d9a1ff4adc04167ca69ce1fc04cb568af695823e594b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20597873-7e22-4c97-a0dd-fb34f910c3f3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
572KB

MD5
8d1c35ea58af04f933a92bc0876b2d93

SHA1
0ac0b4c688fbaeb787fae4bd67b9a54197919f76

SHA256
7b38644c0af60de46e491fc4fd769ca9fb2506b312bc7c0c6182fd1c070f81cc

SHA512
ad0aa30292c8f534df54b3ea872b063beb8e78d0c1f69b763a96b2b63a2cdc17962ee63845c5ee8a5b21628934155e3249aa43504dcd1c746ff5e0f91ea20337

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
345KB

MD5
f67e746ff8eeb47984323a19eb84d2ae

SHA1
5a79b88ae8b1b14c06f3bc418faa85cd02991e6d

SHA256
57904a68b6eb10f161acf4603377ada1cb107e41dc5744959c28386429de2d3b

SHA512
dcd6654f5c6d126e052a6f175f728beabcb3a2658392c8838e4054a8926e2411a796bb597726863e504d9230a0531b88c631626148b3ea95bf311d8290e89cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a43c5442720748bc3520106b9b6d4737

SHA1
3ae6a4bbe5cc3acc29b02debfe78a366e7d046ab

SHA256
0e33c15bae9de0161695319643a4e46b888255d6b11af246e2050f7863708e3c

SHA512
9167b7a8ad92b7b82119edc9591c28d53b18256cf2259b6bbccc7c5c1833d20be514393845c6acce3dddc44d71a2c258ae27da3ea0ced8cded56e689f0b4479b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e7f6afd50933be17b3962aaf790b34b

SHA1
e2a5e92390b866efdd4fdf7b1357c18a3964c998

SHA256
ffdfe734ade263d5659740e248a9f36675dbd7f8131587927cf0bfda4c38cb32

SHA512
678c97c2b4a03abc1932850db147bc5acf66e6eca676f3a5c2c257a9b387043766ada64ef3fb819891e700a3e1c424d241a267c6cd501d9ed53b4dcae8ba798b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
9ea5c8e43be8ee3f553cccb1cb37003a

SHA1
0775b7871a834572735e11430f25b4149b364142

SHA256
605f2e947ccded7dbce5514b3e6f0e3455ec36742bab5a9903459c13ea975623

SHA512
3d54ef333b10f42c4f929624d9fd72b6432243aeb950b9fee4a4c8deaf7020a5003cb15271ae489fd9ccb27ad96a64c2c99c673f442be9d53517fad2aab83484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bed8b03d782d0c8eafe77b92bad25f16

SHA1
822b0bfc6a2e4efb2acd22af8e3891490ac07e44

SHA256
5b47e298552c9127b2d8b8c3c1dab7038b6455c561eb107aa0322b42c7cbe6b0

SHA512
343f5018a9b404f315627c16c698e7587a50291704d18ef6cb327160c3e128147a31d56aa10f22c1d2a2f9835f677ad1cbacb6935d04c1ae1c17d9ddf2007253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c4025fb2b9b3804085486002a17150d9

SHA1
72fb950a22d2ca31a9f0869b31eda9aac4e8d4a5

SHA256
63e4aa77b1abf5eb48791029473b8f3a4a43c47e047bf81ac96a4971123e4062

SHA512
44a849623c6740d4057f890306e4b983c5ab38571894288f6e2c75ceccdbd5d0eb7f9e0e59d62881cf0d24c81189f86e5d3b60756d78387c780009f4b3669068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
59efd0bde0804b6a62e4f220482e6544

SHA1
03544abdb6310e50bc5f2d3e358a65dc1f77c483

SHA256
4cb843de7341e17c33eff645b6e032d266e305ffc5aaacf575c18d496a660500

SHA512
db4a5f61e90b522a1ec8e2bb88f94ad76a5a4e0f4c7537c0254dc6fcfcd3929b19b913e096111a834aca68f3edd577b6b64c0320e4224a97d080d8d03b390591

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5764a5.TMP

Filesize
2KB

MD5
243c668f162c7348bebacb8b1221080e

SHA1
3a9c679ac86a4d93d6621a5457b3513e00e1ca9e

SHA256
c08ae97e4e391bb770b086e3ed9e3ae340d7c957a80c5c0b1038a5829c4de34c

SHA512
f32fc6845a52e0d36cf17541370515c089cbf8c29adf4d26ff84d9d14eab9e20ea6614cf8586a76e22571f3ad49b42940c8d0802fa053960135f56cb3782e11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0fbef5db943c25f1ebae7083296c64ce

SHA1
8fb358ecc187bc42842a8d3153754527f8b154ba

SHA256
5b50704076d2c8803c977e20feb7c7fc899f1147603544f9c3927f8b0adeb903

SHA512
cc84ed9449bbf69823ba4a0bfeb9ce5441fb79c02c6b03f0378a7b0d55086f2a8c5b6572ced870f6c65fc4c1dd8f6a4e287aa05b4f4fcc3a67a3e0f5c8cd1370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
1a3a82c74ffdb5cc2c0bea5ea8266957

SHA1
31de68ac47cb2e8c884e4b7076afe0d4eca23b7e

SHA256
0c6588fe5694850c94351e166bf746b519ba0a6774158a3e6556dc9b974f6a1f

SHA512
6680ff813bf980303aae9492a1a1de6f92119bdc0bdaacc5df30050e1d0f396baf10f8f79ee44a45cdd3e7f7cec6347e08682e791bb9eb64b369b638b357893d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b90c63ea-b682-46db-b1d7-632663bce4a7.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8ea6097ea4cddabc75aa2a63f85569bc

SHA1
83b8222b1b57d0a7f0cdf410a42ffb94607b7fff

SHA256
df9578994f42c6ab0f9a0c5c96e7bf302327a467566af66d1cf67da92946dc4e

SHA512
52e5f6980bf5ba3cbc313530f9d51f905ffe7aa2f7538fc0a72b207dcc9d67fefa884b7607713e3fcbfe774fbb91dc911fd4403efe4b0c59dfbab9ffa9c1f3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1955c086231fc6f1dbf52e425c411273

SHA1
a0b67820cd141c99f2cccf6218032684a62c5a5a

SHA256
59b3757313e4c437b7807a187ad6678ee18dedb4a2d58173868fad53444d78e8

SHA512
91870b6a5aad909b0da7e78ef6abef4d535ea13ba754a6a57c02778787af7c5047c000e81eea6404f17bd16e844695fca56e3ca3d49e8ff11319537bca8d9d88

Download Submit
C:\Users\Admin\AppData\Roaming\9f7895ee1f063bd9.bin

Filesize
12KB

MD5
d5c42d8ee3941b85b8123874a5859eb2

SHA1
ace491432399a0086696a34730800c2e17a84640

SHA256
2e355f5530c958bbceaca5e63808a4f47e10e17439f8c44bc817f2fbdd549207

SHA512
5a7ea0ec4277ea470d9120cc28a29ef6d2676eb35486112c6022893f757bc39797823bd8f61d4e12d1efda16dff48139f7406186c47812dba531617ee1cfc0e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
223KB

MD5
174e456da4b412a6da4c56e26e30db87

SHA1
781267198443f5498fbe706b89da9fa2cb9fba08

SHA256
6c8824b2664835b9c04dc406cb500b68d7c7e69ebb5823edadaaef16eed37e05

SHA512
185e80aae76319aeaab8340563d6e66c754c2bc9223be7101457a93cafff50a682cb626afad82258da3ec13a556837d5a2ca84a08f695274f9f7664c12633044

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
86KB

MD5
a464058aa2abd9378b71ecd7b0ed9ebc

SHA1
844daca591559dd13ead7d9dd9c73165ecb71bab

SHA256
25e6e0c0ba1927da015c0ea90a0ce51dab3a352b59bb906296a0ae47d8865652

SHA512
3502fc687059306af605bcf0526edd3fa0d687e242b0f08c8a95f029e4bd15562ea1f7d008307aa19cb629713dd32f914b85279eb95540ceeb98052801e6b8fe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
438KB

MD5
87ad964df3272857e59be453089f6b67

SHA1
a633816c4f7dae33f2914b1ef681f729a9c1efc0

SHA256
5df37918ead4d6f59062e7ff4bc099004df5e3e2ba0e2cf89a27a0bea83b2619

SHA512
b40484c9f30bd17e753bd44c745b2205c6b049f84a9e7d4620b640995bb7c8bc765ce5ba2905229846fb3039f4b6e9397c3e07273c75052317feb5f4f9d250c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
191KB

MD5
679f9e24d785192a758f34a5235f6c70

SHA1
5d3df7230a87e4a26d46b6dd92376668b085d7ff

SHA256
ab32b4edbaaebaba36c0e736c5575d4c907bdf884af6aa500da5e48d5cec87a9

SHA512
18ba46709240b26e6d0dccb599f5d19e637765486d9bf160c3143be3d18b0792433c1854c6f6ea933ef10654686effeaf530e15fe9c42b0e211e3f37c3cdce4e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
197KB

MD5
b701c9f86d0cbf36956056bbeee7f05a

SHA1
681b398a549af019ed87bfd23985207868a7bf95

SHA256
eaef3333ae1ebac1efb90a031d1be28d6482ddbff82cfeb23c5e6d318ac6ed4c

SHA512
b352bf506d1aa43806080f8790d94355dcd08ed574013f71d81214dfd58c1ae482b91929f5a81c17bf5e52e7d9d3d5429ac9fa9f060dbed7e17b8c5a84d8f6f3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
451KB

MD5
f1ef3d626644b7f56941975041c26f08

SHA1
9e8a4df6756c73642259051bc152f8d5e71d27a6

SHA256
32f2d757ac0aa94714dd5f944a80a9d68896c52e31d84f96d08a5007ec00728c

SHA512
b44a1557bfc06e9437aefce0197d60470fc1a4b4f4c309e0aa21b247cc08d7bfc6a42c1eaddd19ef52746f37dd620f7d8d07c3f3d68beee614fd961642b37b7d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
229KB

MD5
33bdbcf608e4fd31f0d24ce056fca76a

SHA1
64afbe9e37ed624e2c518df5f50982518a1d0f7d

SHA256
c87d38cabfc66d2183a426a84e2ed869fa20953d0176b1f678e31b7f72b8fb66

SHA512
ad0c67d6dd4aaed2410197fff76b581edc7f1c856e876d9d37f97c21c7506c3e34d568439339ab9baa03c0843e2253424444ac8e2db68436b94e9d41af9047b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
184KB

MD5
9e78ddf02be4576b3a7d0eb58f2a2308

SHA1
709682410cc1271d42cf81af5b80912a05d38a59

SHA256
0d1e8937c769da8eb7585a06f91812979913b4df590d71c391812cd1a98f3bf6

SHA512
a621d6ffcc816adee3f2e7469c6d22b7460af09bdf36a541a28628321950cfa07fb4ce0bb5a664bd1194cb79cd92f2f2f90e4c6ce61451f33de3ed9df6d35f43

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
87KB

MD5
74db516ad2794a5265d5d1d68c101790

SHA1
21c7967403a748e67c523a4a61e04eb58e39c4d8

SHA256
f289b7e30377ed37a04a23f854149641ffb18911895a5ce73a732d22fab8eb79

SHA512
328f7f7d249f42b2decac6a51934af7830007858317a6730cbc1df23352cceeee76040f22c0f179aa9e1b4853875dc2d3cc1198b9d56738b3772e640f48c2a6a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
106KB

MD5
edf9e182bf9761935f1c5785271d846b

SHA1
fb1e326bb5ba806e1dbfffe713e25a0d29263ecd

SHA256
6884cb0cc30f8675386fe91b4a6cd30255ce3a6d340651b33fdb2c19d2774b97

SHA512
968f3655b08bf5d3a5875bbf664a9130184eddc5b09dce37ff16328c84d35035c5f8d70cc205b1f89c34ca127b803db06e5bbb99d92fcfb0b6975ce71e9b051b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
546KB

MD5
9db5d54945780e97de2eba2ce79dd12c

SHA1
89f09404853101dfa73a36a7aa6acf3af4df250e

SHA256
5c9563284b4d803d26e4aca7ea4e23a959022e6130f646856c26295e338e27fe

SHA512
2044b038e7eb1ad5df14507f5f648f169fdf449d1cb9b4d986f9733ce23facd8290a315d3d1732ae5058f13f3e7c0a5de35eaac4cfff62c16d28c37801152bb2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
94KB

MD5
bd00a1e3d4debe26e54f18ca7430d3ae

SHA1
ad466ef0412d96c9ae814d8f63261345a92b3b30

SHA256
583a91419d1f76a7371d0aab92658e6d5dcaf56fb69db091e029cd102539e66e

SHA512
2b136ece942703ea0efd6350d1fbe11f782ce293896cff6332a1e5068dae221c3f9ea59a2a63301751939cbaebb0448cfb679f6d1549dbc90c4e4ee807aa52ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
39KB

MD5
baed8e96e65fa8f49c37dbddc8c1ffc2

SHA1
0b9ccb6c725b4685be03ee54810f84ae83d32a37

SHA256
69cee8f5905f1c7b202d49bc5eaa96e9245abb1a8b06e5717e9790567caf5956

SHA512
03bd4a6f1292284e618b17b90a564b28a0d9689e3a3a0177f6cd720f17044aca89616d6a63435110fbc0b46b0bdacc8d37eb2f21ada2442058bfe0843d1e0c16

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
272KB

MD5
732ae3e099d75e8abd3a3de2447c8e9e

SHA1
80d8dad63b52f6260a7e40f7d4a26a8ad4e0e678

SHA256
29d3f57afb6ccee8410dcdef41e73dffac846af71b0be03f0b358d020f29814b

SHA512
62be0529ccc39d7e06a1ddac8ce785569e4b30655531acbd541df35a697f99645384a22a681858213c0922132ca72ce89a036e88a3e28982734320a42aa011df

Download Submit
C:\Windows\System32\alg.exe

Filesize
99KB

MD5
6046f77ab71e9df7a564d97e3d0415a3

SHA1
63e3116f7e087d814f5d2c5e3a845083295bb1fe

SHA256
9ee1b5bfc24b589789ad144dcefeab5293e06e7614916646e30a4cee572488b6

SHA512
707e059f482b899b56181712520acf3d83f1b72049538a107dc80bc9928522e82f6c7d1a6d9346df7f988cb7580578ba110eb61af102f6a3b2e7dd05c97fbccf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
7KB

MD5
b1bbfa5fa1549e93ae81d91ae7f3ce15

SHA1
56c7e630e4252d0e7cdcde73864c6fde9766de56

SHA256
53c5208672c76dc38c944f04f2fab567999cc7739fd2cb04e6d743a758be59f1

SHA512
364df74a0e113473b6989ac14611b76daa5aeede84db0544a5ee45125faf7cca0973a78c838af11f282a91d8218e58a03d6e38d61c5f89051c5054b21352e4a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
85KB

MD5
7343832975a0a5c084c94e9e08697afc

SHA1
fb098578b5d59bc98a4eba422ea019272e18b323

SHA256
04e89d261d63ebe0dd3572b08099760bfb59cacd3be147e5845fc5d6f467a7c3

SHA512
132d65eb47ea6f74a6c7b7d517d3e1fb2269cd87c3da5cdc3481f734bc113196ad3df9c5f8746b7c3a7d42e2af048ac12c999970822a95d4741ed0a6a14b98e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
344KB

MD5
2049186ec04c8afd8b39efd14fb73eca

SHA1
21ce489bdf66e28685aafddbb1348e47f2074e0d

SHA256
e362e8d3979ac69452b1999bcefbe54cf02108b5aea1c406cd6e573922b5642c

SHA512
0cde8c4a4d64a9a40a2b4f48defbed1ada0c05fbe3007fad3465a09446f84d362ee9eb762d8f2bc1cff52b8f2ffe58cbf6982fe227cebb87236210cc8d396f70

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
47KB

MD5
44a28f67fb59b34e3698930cc3f8d6af

SHA1
063d6fde078d2bbabf595e0717e3e1c0336a75e9

SHA256
e0185a099291ce22cb623bcf373ddc401a01fa3c5e4084dd58839b0beeb6f5a5

SHA512
c889535b05c2fc9f332ea790da82039bb99c598bd3bc02fd18d5f890b3020713b3cad651a6c136cfab28dcb44acfd4891150ae886d71fa3be320c93554ced38f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
79KB

MD5
877d91674caa5f9865d96d02005c54fe

SHA1
d92ddd149f2b93f4bfcaada3e132c0959d0ade08

SHA256
03dea6be112df4cbae6c287d1efe5ee4910fb4eccec3e683195a6ae494a4a74e

SHA512
b2e6c0df4703b28d96330e677eac113b7730962faaca5d9d5e397085870e83015fd1e4af594166a583f36c1aed33625b415ccea37aba06e6e3ebdea3bec9729a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0bcc753a7891b35f9f8b3443658beaa7

SHA1
06f278c697f734b07a6b8c9b5588cfee488082d6

SHA256
07237edb07797d8582579461d43bab7a57f91dedf3bdfbd2b8d3cc34142ecf2e

SHA512
0eccd805c1f5035b89d8b6a945fcf7469d0fb433e412a6b6e0583bd60f45c38b45a8a6b714923a0720dcda020c9248ba14289a74f414d5cec1a9212917b595bc

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
370KB

MD5
6f70bf001b72b501398e8e79d750dd17

SHA1
bb6e92bf1c096de377d464b4bddc0de17859bd56

SHA256
4c44e944d55b02db7afc5614b6156421d058bab3209db4c12c1d0847240767cb

SHA512
0d8d860f88f679425de8be99ea431704822de7c91e01a6e51c969b8828c593f5bf1abbf94e1aad2f5f67524312f4e1113b153c3949eef8d99a26796cf81d607f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
987KB

MD5
53700161394f8cfcee4af289cc6206b7

SHA1
740f33629702222a8637cc8430836659651aa7a6

SHA256
c92334c01a46b972d0c992df82b1f11fc333e57a8fe2603ad7763ab286739557

SHA512
7caaed3f98e4f13f4e5334ac2d630fa407e7cbd7c674882e3619c5d39a1078fad45cf42974165edabf7cb99a337cecbab6062eb03c5b92ee6fd8cebdd4bba2af

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
533KB

MD5
cd4de36e65850d60d274d9d8119d9807

SHA1
abf3a707224e518f83c30bf985b7ec0eaae1abb2

SHA256
a31162ae2555abc3a08e70d5be593416d7ec5c30c445a50c5bfd678e6ca72a40

SHA512
72331512c6a363354d1e2d2e016c6020d17fe11e59e072af82170a73169592f3844b044450bff3a6de4c320271f7b3bfe521494706982d80d8ca3e480df4f0bb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
607KB

MD5
93ae3e98002af142090452d29e0c60e6

SHA1
205200f7213064e418914ff6f84dfa5f3f306eb3

SHA256
588662cd334ea0217e4e31f4778bf83802c8db70de92bdd7b51e6d5d7d60d970

SHA512
c12564d094b405d486fd86035628bfdd7dc9c642309cc9aab59b0461f7c790f6bafff62e16166f6d9ece01b90178fc0da91059bd6434fece4a9e0055e50652be

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
599KB

MD5
46c2e507960861f23d6d506639d1b0f7

SHA1
326322e36d4461c885a1517ecaea77b2afb1f37b

SHA256
00f01d5ec8054c52fe42f0086b7453852077d90ddd215a324fe21104f4055ecf

SHA512
76466984ae8324d5f7d97800aa9a5a994200420897c14fdef44f3ab1ecbda4ce225e64747a0ac75ddc821360d6ea8a8742139a981663e01ba03878c2673d8b7f

Download Submit
C:\odt\office2016setup.exe

Filesize
587KB

MD5
5b96661c580d4d040ef3843e3cd15994

SHA1
c9bf54e351a6fe4087078c7f31e758425512a546

SHA256
46f41c14c1664fbc4946b913d6318019a5ba3c933e02644b1910235609cc95b3

SHA512
f8d67821195e80d326c05b987d9a287358381896fa2eb3a442cc84e42b2f35c5526fbb602c44c710cfa389cd3f2cb5ec3952ee3cb7a7257e1103ad721a82e052

Download Submit
memory/228-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/228-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/228-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/228-589-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/228-207-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/364-30-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/364-3-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/364-7-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/364-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/364-8-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/364-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/428-192-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/428-184-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/428-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1372-71-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1372-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1372-64-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1372-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1372-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1464-98-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1464-24-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1464-12-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1892-354-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1892-347-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2192-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2192-19-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2192-31-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2192-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2388-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2388-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2388-52-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2388-132-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2432-238-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2432-248-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2432-332-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2512-232-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2512-174-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2512-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2516-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2516-178-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3008-107-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3008-104-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3008-69-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3008-78-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3008-68-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3024-211-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3024-281-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3024-220-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3168-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3168-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3168-160-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3244-233-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3244-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3244-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3480-108-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3480-100-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5004-129-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5004-124-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5004-114-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5004-113-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5004-130-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5044-134-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-144-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5044-205-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5200-346-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5200-254-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5200-261-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5324-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5324-275-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5324-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5464-368-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5464-361-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5516-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5516-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5516-298-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5664-314-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5664-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6004-342-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/6004-336-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download