137044d3c9bf498b2869c83b7f5f1ed254367c5016a23a1c5116bad39a4eba98

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
Size

5.5MB
MD5

fabb222c585f1ebc163dfa968869b21a
SHA1

024b31b502195374395836909b1c67ea22872aa7
SHA256

137044d3c9bf498b2869c83b7f5f1ed254367c5016a23a1c5116bad39a4eba98
SHA512

258deef28b668657bfa216c7e0ee22e59ed601639dc9289f9d7c5527c94f202b69a0ebf7559d42f021462b0f72d7cc951e11ee681ef55cecd6ff746ec4dbb7bb
SSDEEP

98304:xAI5pAdVJn9tbnR1VgBVm3U7dG1yfpVBlH:xAsCh7XYGUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4524	alg.exe
3280	DiagnosticsHub.StandardCollector.Service.exe
1824	fxssvc.exe
3248	elevation_service.exe
1772	elevation_service.exe
1656	maintenanceservice.exe
1364	msdtc.exe
4648	OSE.EXE
4072	PerceptionSimulationService.exe
2732	perfhost.exe
4132	locator.exe
3932	SensorDataService.exe
2488	snmptrap.exe
3768	spectrum.exe
5060	ssh-agent.exe
2268	TieringEngineService.exe
5308	AgentService.exe
5516	vds.exe
5608	vssvc.exe
5736	wbengine.exe
5836	WmiApSrv.exe
5944	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad702baba5bf65ce.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\java.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BB1DEBA4-2D0E-4BD3-A275-B48259468944}\chrome_installer.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e737d1bf5a55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f270adbf5a55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059d5fbc25a55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ec47dbf5a55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b4711c35a55da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512987059670170"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a25bd8bf5a55da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
3680	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
5496	chrome.exe
5496	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
632	Process not Found
632	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4944	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
Token: SeAuditPrivilege	1824	fxssvc.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeRestorePrivilege	2268	TieringEngineService.exe
Token: SeManageVolumePrivilege	2268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5308	AgentService.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeBackupPrivilege	5608	vssvc.exe
Token: SeRestorePrivilege	5608	vssvc.exe
Token: SeAuditPrivilege	5608	vssvc.exe
Token: SeBackupPrivilege	5736	wbengine.exe
Token: SeRestorePrivilege	5736	wbengine.exe
Token: SeSecurityPrivilege	5736	wbengine.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: 33	5944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5944	SearchIndexer.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3680	4944	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe	84
PID 4944 wrote to memory of 3680	4944	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe	84
PID 4944 wrote to memory of 4484	4944	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe	86
PID 4944 wrote to memory of 4484	4944	2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe	86
PID 4484 wrote to memory of 736	4484	chrome.exe	87
PID 4484 wrote to memory of 736	4484	chrome.exe	87
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 3492	4484	chrome.exe	96
PID 4484 wrote to memory of 2248	4484	chrome.exe	95
PID 4484 wrote to memory of 2248	4484	chrome.exe	95
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94
PID 4484 wrote to memory of 3132	4484	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-01_fabb222c585f1ebc163dfa968869b21a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c8339758,0x7ff8c8339768,0x7ff8c8339778
    3⤵
    PID:736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:3132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:2248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:2
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:1
    3⤵
    PID:2672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4688 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:1
    3⤵
    PID:2684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:1036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:4516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1036
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff70b897688,0x7ff70b897698,0x7ff70b8976a8
      4⤵
      PID:2148
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5204
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff70b897688,0x7ff70b897698,0x7ff70b8976a8
        5⤵
        
        PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1896,i,6853662643519728187,3808028167221216816,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:668

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
308KB

MD5
d06b560553079d69001a1c67e9cf1f99

SHA1
bc7aeca6c70b656ca25dd229cadc3441d4762a8f

SHA256
3a2c690f88c774879b3f0b7e9a6b40bfaa01219485346784cd99e204eab14dd7

SHA512
2b753b21693a6e3832d3748275142b75e6a1d39c27050d177e9224e147afafaa5a05a25c43d4778f1e8332422f37266da2ca43d401f0698f031abdc3913ea02d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
31KB

MD5
4e45cae9c524590e15eba0db4989526c

SHA1
09c126ecf34b10a45c81306cde633444d6b3c81a

SHA256
91806a011584b7438b7c55738688f266fbb78247b99a9f19276083b285d0e9d0

SHA512
e6595a808543c9a093c20237f5129f2196df1d1d7507cb7d6784b866cfd867f1dc086a464393cd77dce62b09368a0d520a141695ce2812641b4ea1787c28195a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
485KB

MD5
6074e48c4316bd5896111ef5cd62447a

SHA1
42a922a7d9439cc98357adb942328fa66f83ee31

SHA256
ee9ce5407dfd58f27ae1188d7702288c7cb1021bbdb9b61f18263deca91d6b97

SHA512
5b9d9be41e40ee24e0274733496cd23defdd1ef1b0feff90b0f82c80431c5e5abb0e0b806e4b046075e608ae7e6ebfed28c26316487ff6fde4d36066791cb369

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
314KB

MD5
011953f960dbbb750d76a0c0398ba069

SHA1
6d173b439c54b9c067d1a2b0f6ef8726e8d06e39

SHA256
69b5da378b8f0ca3b3c82b6640eaf37f45e7dd9c223dd728d65bddbac81ef654

SHA512
f80ffdea9d027fd86bb94d514bb2de38de09bf4121a9bdeb8cd5165ba62d297522b0bccb872b8ac81fa06265e1be0821e5dc2385b9b5f38e87b31f838995a2d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
481KB

MD5
cccdcbaa97c6052955da3853c6508a16

SHA1
9a1afe5a610d6660fda6a3ea40baf49f95d4417a

SHA256
e9719b546fd25d7bda70bc5ea9db6cca44dcc01ab7a690d10a9a96ee666497f6

SHA512
5dac759d1283b4389238fcc6e384836fe269ddf0fb9b26ff21fe11bc9001938a2265b1f37d83b53d40e502480ca28d365bb04e28fc3617dcde46ee46433b5cef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
270KB

MD5
43160a4525e4fe65b1a12c9fd42d2c51

SHA1
139086acc69509838487543358c848b082552468

SHA256
ddab060138d7e1222c3d79e120667da25f9e3b0d3c0b57c74a9e64cd3abe40d4

SHA512
6468ad238497d585aa5d42dbde9bb4817d3e6bf0cccda52c2ce20d5c4f7a3983e6bd10fe7f6f916e09a630e50bffbe538dee7a54a551740f7e5136720f2c7395

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
380KB

MD5
bd301709a64c5f46b601ed6b2b388a85

SHA1
4a17b931fd12f48cb0a3c32039f2a5c1e93499db

SHA256
322b730edeeb121d05b3eb379cfcc755785d73afa005f1892762e13e6bdb3cc5

SHA512
588ee5ad42b86386d371cf14adaeec7a211c1a3e082896da00d8653e1d5958d1503f8d3393eb8841202b859aaaea7b8c3bc6ce687baa55719234d39c70a97273

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
457KB

MD5
61e88361de22f48ab839d38a5b03e1ac

SHA1
c4ee0246a444a66c5f56b3c63c111a5748d3c32f

SHA256
549d183831cda04646256c368ccf44903d49cdad60def0c092a2e0d243e14461

SHA512
050276f2d345147a492708018adc40351a54aee4a8d21130fcc4180ea454193c68340625b934fdcf07f1a3f510fcc9c53d96ca4422bebf02500df68d753e4fec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
280KB

MD5
9d203ab1f46a42046674236ac17762a1

SHA1
d0199d8f6fc4890d153f71fe2f50811e0aa802be

SHA256
22650a2582b55679677d5dc5433cca395ecd0237c4503feca00102e988238e1e

SHA512
d8e3795cff20c5b88acd0e8163894d861e16816c13b3da4593ca8839d9554ead2571a162b209320fe0e1a58b5b79cb903ee414bf36a307b474588fb3f6474616

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
356KB

MD5
23cab39c99a66e2c683bfb0008302718

SHA1
e55b668a6670465e467419a799db4627f42ffc37

SHA256
3d2d13124846205c9c8354e4cd15630de15c4305f6142219f9cd0fa4e0ce54c6

SHA512
4a448dd700392da502ed6c4d40ee7aeed51f3c8864809f47effd1460ce82350403574f269ef5dc523835c3c908a77ecffd919be503c885c4e127815bbd1e942e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
365KB

MD5
89477ca3f09c58fd8d484e19a555b7a8

SHA1
543a023d6a90d51b5ce735b5a1150e1a8ae8b887

SHA256
a1ff79780cc399c9b35a8b94c83a1100270b14f454bb5b7883df2a1578711a0b

SHA512
8962034850394c0dc93f3134915b407ea02dd9648af5e35b9d820d893c319494a8a10532c7cffa3f45280f1c9959873ee155970a97330eed146d4a8547736822

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
291KB

MD5
ac360c8f3929421e31c29a32dbaef161

SHA1
487fb27126fe6060315593c94b40e0ab75bf0b82

SHA256
692d5351e81c6393f939dd3b534ff45739b20cf3dd731c9686d27f90ff9984dc

SHA512
37f3d86819a6c566a4dbbb278eb9eea11bc0e9700f66c23e755aef2ea2b9c71438e3ab9127b0a048d0fa743e6fec18cc9a0cdf57c12af39630703b72320f7b88

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
249KB

MD5
5feae4a5fa3ee5eb9f7b0473c134e6cc

SHA1
ddfee9bcb262b65e6561a2a66890956a495c7c24

SHA256
d9703cb0adfcec66b62bbe582c20e087bd40d8a181a92242183ed1cd53cb5b93

SHA512
7dd7b3d9892e9fc14b992c20e3024322ebaee5454169107cca0d308cde42a5b9f6ba827cbc71a1cc428b6d4c7d102e859669c2d5e2973baddc6375364a1c1c61

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
231KB

MD5
8dc8736a1c2601fa01e27fe11df85408

SHA1
5036c69bfa33eae9d9c72abda8a46dad837f1d9e

SHA256
d51d2fad68f84370c27d3a114a2daf4b1d525e4bc941d09cae4dd4ea1bb1fc64

SHA512
9edff30c07a73d28bd74145be2dfa42b9f64e19255ac959cff0d466fbaac184e64110367b326496cc55614fc72a0326e3e8ca153a667600c7bde1c3ad91bfaf8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
227KB

MD5
93b459a5c0fa23326e4e200c1969ec70

SHA1
4c77f757c3b25cec497249c69bc1edb3f4418be8

SHA256
cf277b802425330fcb84abbdbdd62d6aad417daed7bc4d60490365db893ff35c

SHA512
6269afb53e3a9cc02b4e1755aed31b17465adfc8931c181c68cb305d9af2bd9c01246d70252d2b75d3c39c2ba2562b9ae0c7d3c30f07d0ec83987a427b2ab8b4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
15KB

MD5
a5e98ec523df68f80d57dcecb7400c62

SHA1
13cddea5d7429b25a912384d7fed9ad44fff70d2

SHA256
86e2809715a2abbbf4778f8a4209cfd35b1638f351c99375c398a289ce3700f1

SHA512
21b02e704b63cdebbf9212bb26cc7004615cc6b1fc943276a45f7633204232c2b0247d2569ac84ea2c30a1d31c160e1093f767df5c27ed72138fd7c98d9d6fbb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
462KB

MD5
8733a054287957d4f6fae80d9cd35506

SHA1
2a45d85541a81bf275c0423822620322133b0603

SHA256
76aaadef5ad265947635688e24247ad49ec7f95f49d2b36f124400397d5c1561

SHA512
1cfd8ed96fb25222cd50f8635aa03a756e996e95134962dfaa39f13f1849a2778bab2fbd58463ef8ef4ae526ddb85c485259b3e66aa6e06a750cfd97a06abf73

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f8d4f97f-5c98-4905-b2dc-3c13a7b28e6b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
290KB

MD5
ccc7d187238c8ff57947ed9a2895745a

SHA1
797ce2a1bc6ea75dd51599a8ec7f40140839fce1

SHA256
687a29ad5302abae497ba1b52f068ff988c3c6d2516e888ca192c18420d00d55

SHA512
737096fe496ba8aa4f67376ca3cb4a82d33b89eeb4286f582f8dc9c5c030025a383b8167f5eaf8495fb94c23b9521780ad37ac66cd0a1e8d61ff075d027dd4ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
240KB

MD5
f05b1904a77f50611cb8a2e2d508f017

SHA1
7abbe4fcc2b6578d54cd77a816a76d29e584e135

SHA256
db753272572457cbd94420b93ed5a0772f4acf2efd3a70cb40ae371c5974da2f

SHA512
2551c009bd54392489cd63f1292f1c99442325614b38d15a1f441f2587c3f4eaad08a4ff0d5dbec12c0b42e91ca584aa2286ea963b48d0846af59011bbc4df94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
11e5b848083ca1c7c3b0b6e38065d219

SHA1
8c080b8fccac5b53c800ca9f28557998832ef7d9

SHA256
2602060f155395b394b10929bef56a70f94a85c94cfcb0a219fd4a5471a08b4f

SHA512
b76a646a090a90bf0146620b8fe90e0c77c567c2e2c6e35ad2bc146acbae9324e82afabe6cd2e42cfe267ce49d7bf92fd5022244b220083bd6a5b8c9e37c47d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
60KB

MD5
606edf4ec4b6f4ed3b94682d9cdc0897

SHA1
265563144df48aabd5aeaa1adc170c0af9ab2539

SHA256
48e1a1749447bb81de29381244e760aa6129319b13aa570b1593ecf3e2a393c0

SHA512
0b01c1832d052b454ee4d95b67e6b05ed0cc23f41d747d77e7a1c3ba1754a24bebb6fcd017cd93599990fba977325ed891c38221c744f8f70e41b492039047ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e9f8b4b3e7ec7350d4d64f1e8468d2e6

SHA1
1f456b00ce513cb7ec397053c9947cd675a61619

SHA256
a7144bae09ece792913c15b928f4024674534b241ac314682431d0a03853ad27

SHA512
ff0af61f9022c168deff0a7be29d6efa1f42589dbf2adb813c6fb6f82b7e06545368abc028d9d1bd1298212cdf471037a942c2bc77dc1d1b72d1c0c4a2983ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
8017f743ce88ba2ad3878a45a0e715af

SHA1
fcd96299a389d2a43eeb210764d32d3cbcac087b

SHA256
528b87bc8414c07cc97c7876374a555f3e97f9e6c2bb939516aabd681bb2c638

SHA512
23125cea3fc53a20729ec5f3a62992570fedda986d0bbdcd6bc10dcd01e961363953a706e044c1d98a2f59d4ab5398d14854dc99c351a1b0b619d55f054f957f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
82c5a989b79ab7e92d3e3535435ae196

SHA1
38d2b7352141ddf8de8a1bce4b35c0ee090d3b6e

SHA256
c10928fbbcbf37847a479b73003beb19e23c042db657561d8bd4a3e876c3c33e

SHA512
0abc340a53b6146ac6bc3e1f0d7fa4b4fc98f6a68ee3116929fd43d2f0192cc71db86b8cb9cffac308d40c119752e239bc2dc60358abef19c69f6fdee48b109b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7023238d225a20711cc5f2b18895e2dd

SHA1
eec3b2abd5a13bd0a046586b8bce07c6d006d889

SHA256
a4636314dc367ded34701a2fe9aa16f202542bf794d69a8fdb49a171aa7d80d2

SHA512
383d4cd5d462412fc6ea1ec13527e36dcdcae73604d19c325142796821b20c88ce00845310325cb3abc39770ff3cc404a6e6f6a9d738ee2bf506efe3c3c87947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d599587775fad30b6e63ca2326019131

SHA1
b131f424ce8c42ed2c81a8c251aa6dab7c40c5c1

SHA256
b3cc035842e3e5673651fc445d54f6743d21839efe26b7a6c53c533c413eff56

SHA512
60c00b79db75d3b7927942ef4deed291f55fa3af4926b12ed80524482b3a7c1ff35fda4202e7907aa939a86260a2f73d1d1a87dd2e24189a30fbb25bd357f0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57acf9.TMP

Filesize
2KB

MD5
616a76605469f13695028f2073d527de

SHA1
4747806ef70cc3f1dc08a82ff337f3ef5dd3fc6f

SHA256
e71a0c8518e42b16fc405f900e766e4f6af5aa83a0caba142f7b1fe822ed9eb9

SHA512
60761688a911f57a0e328d87721e14e2635fe7f58dfdf7fd2381725a48621ff36e6f2e274692cf3b9327782876af60239f0de37fd369ca689a1dbfd5bd4ea467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a1022791f479dd1b3383160fad21c4fe

SHA1
d2a5585aa1442aedd415217bfe0aed522a82097f

SHA256
23571a4d917f1127b1a1319ed7f4aa1b2f8045a24f4a9aacab2faa064bbb5c96

SHA512
6e5a85fa9d7c1b656f7d034802e183d11dfaa35a8b8667878becf9aab554451487aa8a421bfa45ddad91af1220487a614235373fd7904d0cd49dcb4db3a0e88a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
51KB

MD5
b432fa6a8d6bf48a127d852df6b1d225

SHA1
315c3daf9060a016621328cbb694cdda7be77b9b

SHA256
bf610dcaaf1f37b6e35004027ab4bff32c9749d3e41e831dc0deff15d6ca99e8

SHA512
37102a797b120e0a96a4bc6e1d276652554533ace0ff427b219031286086dcbbf82068975e32132f5bcde1337da0ce6041e1535bd4390a63dde9f483aeac893a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6288c95db687084f8ac210a694342dc6

SHA1
5354bb19584c6ff4c6b137cbb9dd23ec173e1ab4

SHA256
c457d26ef64e31f596041a98a1a2cf30ad1fcc782bd910d15c152b3da15ab27d

SHA512
d45658cc929b2a5d997efc717387772cf6744c370b86a086921e2caa10b54b54166fff79315177122a752a2032bd679ad8ee5492a693a1bdef6ee8d404a009dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
be3673356a8a580eed70e892d86511d8

SHA1
38122aa487b36fef91bb70df731d5d4a404d1eee

SHA256
86fc2290e0b555e626a246d40170dc91f2d3f16c2a56af39ab164be5022e6cbc

SHA512
3ea666c11a359fdc94639fc9c61f8c9f4abbd92569c33c2b4c50ff10e2864438b81af9190e6e3f48339f7941b0cc9c777ba38e3ed2c82d2e30f0882fc7aa4255

Download Submit
C:\Users\Admin\AppData\Roaming\ad702baba5bf65ce.bin

Filesize
12KB

MD5
8e7c47fbe7bab2ce82e82871e1dcadc5

SHA1
4cc591a416b28ee5161947fa3959f28c3f30bd48

SHA256
dab2aaf7d4ebca85c010db58e2571e8c5bb18a1c4cbdddd85fe2f9f177bca09a

SHA512
e151b3623eb9ada049f3a6847f49d4388324a359f934c9a52cbce8eb02a116526caacca2f86171cc057a61361f0e4c56e6f6a003c6b9d28be1ca36a51e944155

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
258KB

MD5
a7e33e0de18baf1994bcd76af7993f97

SHA1
8e22fb2ef6c29f0b46fd53eafd882cbff2f05422

SHA256
c276a4b0ebf1705bdc5376303fb5b463c5db235929b1933ddb99ab65e873001a

SHA512
cccd3fabace19e7eb317e7f910e8d4823a1ae2da0aae9bc107dff8352e712e67a5f6f14a97f9466f76e75f0ed4cc96d2067d0c26225f229884b4c124c8eabf8a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
60KB

MD5
d12e49a7315f3ff9bf330ca52fd0a5df

SHA1
a536fdadb83a82d2af6c216b9a50a02462148553

SHA256
789175a4b8990b68ef026f19c52d10ec0e22ec071ddad2d32473ac78141ce1ca

SHA512
5f72d966cb2a09a3218deabd1c6b889a57a47544b43b228c86ec4ffd701cc85bf52757edcfb94c420eee4c9cede8774c33301f56e561bf611828ee965b339eac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
76KB

MD5
4f1529569fabde8938fdcab3ca1caaa4

SHA1
3d75cc72488bde81094aa50d155d122cf4cf464b

SHA256
f0fe1a72f7cb51012850b5b928e7357dced69f0437c0f1a8ed71cbb6a1d3d201

SHA512
857cd8acb0f3a1576c4f226715f8bd7fc46ccb198fb30ef123c8aef256a39097f112ff9b7e73a0600c02045916793ecaaa407014e576a571900fdd07887067fa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
640KB

MD5
f9f53e5611538fd08049ebabc9cba320

SHA1
134d904e3a152e8b870fd6e03dcc7316cbafd075

SHA256
f11a0ee87e86a904d8fbf4e508f3e1b4f6d4de358c4af4617183cd973acda30d

SHA512
5520a00dcb4c5c3892cf4598517dd3cc0ab2c1cc57c08b2d8b4ffa310f72bcb156fba5b399816a275dc6423bd4284e26b6942a34c78b09fa83c021dddff3d133

Download Submit
C:\Windows\System32\Locator.exe

Filesize
85KB

MD5
7d8e2b3755154257c1c104554679d1f0

SHA1
e112d36de83251c40e5d070e7b37e674389f6ada

SHA256
0411f898152b9510b8a60a09b77c4e82c0abde8b15812cdfb326634694c0e144

SHA512
fe2e5cfb8960582c279d4b8f44abc518ec0e3f56e7a0a305b4e050e65ed66b2f9b4f9f1d81aa23d2fa75382b21fb5f423bd74b56fce5f99df799381d8531f318

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
178KB

MD5
9f4569826f177e53418814ec24f733e5

SHA1
a439204fb684ca650be4aad528464a69739deaab

SHA256
eddd453fa17cfddbfe2dcb6e1ba8a72e112126741985a11d42f1d5f2a559364d

SHA512
09e6a9927b1ad5271ac649aac831d8d0932a3263f3a86b94ba8fe7920912eb98556d0fba4e97667c213e457dc98b9ee439e0dbab32ce218216806a72d2a5fb36

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
68KB

MD5
342c2a0becb9cef121036a586f1d9dbf

SHA1
0135c0d074715e5952dc0697acf3f5bdaafcb379

SHA256
d71d2e9938083f6a33e7c6550ffe37164ae5c883d9d31be2658e3646ef7493d3

SHA512
9241fb8bf7ac5634f8b739cc196a19fdd983456662d6743f6809d52183bccc061674a57a1f74abc2ba61506038718a6ded9f6341ca20eac4386392a210a3f6a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
184KB

MD5
326dc9b8536bfca143d32f48f1f0152b

SHA1
b535b558d9d5760ab855945f15e4219ec7bc3d55

SHA256
6c9195f805ae62e07626d057e3c37edc82f85b1f413450f617b781df947a2f61

SHA512
0ff536ebf97db82e44cb3c976ece08ba22643ebaf0c1722a41a2ac93424c15ba69f5ce52dbcd05c8b54eb96887630a8a2017d489546c309e5d19691c57569933

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
35KB

MD5
c41961e683b0d1d751e94e948e1fc889

SHA1
643ac2ec798681131550d301dc5eae0c41aed0d0

SHA256
455a9c80152eb667dd0c56662ecca4ff4e3f31f439c4544109c2b0ee29cbf6a7

SHA512
1eff2b9037ad7837087caf95d75da0727e00060495c372920e73c31cdd38f096ac233c6cb6536dd69c5c0a0d35103d80a4a03399a8200fc83d2b9e763e6c0492

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
520KB

MD5
f016f4336460b091684eaf45a2b00e3f

SHA1
372ab3002e50701016274c2ea41dd0d5ce2d9e00

SHA256
42a19c2731d0a7fe525754f7322045039e98a5dbda644fe7a45430b0b9ca6666

SHA512
c9759407c58eb8a62ea6f4338b0b03e53cd6818efb873610c200d6aee4d087cae9d1df41fb9a501eb93e32257b1373c8999e36d43291e194091269dfdbb39671

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
323KB

MD5
130337c2998e30f1dede222bd5679225

SHA1
15b7f24d3d02a3475b15fc6d3a4fe442cd731cfe

SHA256
5e64ed57188dd2957c4d91500b45a54b79edd938346cabe0caea5acdc41a4f51

SHA512
aea7f10fd08e0764505854dd155523fe7ff898823fda8e07f75ff3a7b11c13fb199cfd5e984f5e0b75fa88de73637fcf174bb8736dc65f21dc3c69d132814c94

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
148KB

MD5
5ac3d267edec0993163245cb17de6ba3

SHA1
41847e36bca4077c86c01d3c8831f37fc5718225

SHA256
1aee35afa54ed4e0ba4ec20b48e836f3e0cc89c88c166d4fb3575d8d8bd591cb

SHA512
ea4559d087650812e95dbd80b42f7bce22ed241fc29b8e5976b45301573419b7848236df41fe66b3f955002b539bb8766e8f787845090959141988ede3e95990

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
26KB

MD5
c07cadde88be66ce3657f6e2dc465484

SHA1
9b0ca4f5e6e6eb0115e0e28a3d1fe72c7e18f317

SHA256
0978a271a46cbcdd079e855aac9347d467e9634dc16cf748a5338901f5d2d2a6

SHA512
c1555edd81dbc888e8a14976f59f6dd9a292314e58763562819a968c9483424333175f84031df3f6a6a10246bd03338a8a3cfa5195d283b0501799310ccc68a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
29KB

MD5
e57cb92390630dde0f12e2310391271e

SHA1
71cd6dd6a32c02e48035815ee33ad0276dc31af9

SHA256
060c061dab1a44c148bd25edd1704db22bec8acdebc0e753d5bacf04ce742b6c

SHA512
1ae2704c6e2ba8ef7f9e313ddddaf8a400f7788ebaca2b533f0e48daa914ea29f6734e3e1d4d6e38940c137167e5ec784214c25b0ac08c5de46a913e5dacba90

Download Submit
C:\Windows\System32\alg.exe

Filesize
544KB

MD5
d16fb1fece7a3bf08c680edd2ef842b8

SHA1
64d6a105f47c498292c1ba51ecfa3a523a8679dc

SHA256
1a136d4cb5e6c70251c270e0721a585959b8c5202ed97cebc93a3e5db18b1ee9

SHA512
4dc0ac2d6307f3e326c0b20e4d499d66311da901cc29670eff077648105bfaca16e107e5ccb66e409b56b321116aad76158845a5d0068ea2c497b8b45c0566b9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
47KB

MD5
48a5ba9189aa75afd2776a38485a0d2e

SHA1
0fc995df7c73b323bbe377fefbb0769c0e7bd648

SHA256
864f14e8cfa7f8fe5fa1a4d7ba0639f8db309bc180007cab97f054b048e2822d

SHA512
1a8400784a91ff3273f41e85035ca82c95a50c10d8aef0770519f94e69966c4fae50880bc8aa272edbcad77411d9001fbdbdfe665880a9ae5ebb86ad07233f02

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
117KB

MD5
4acc39b7a10adeecc4f541e3965a5c3c

SHA1
0dafe0ac4e81ba743090f15b64101a064d0d8c29

SHA256
91a5bc9bd45b21acdb3f9bb1869eaed4165e2b09f0895a400f6a907fbdcdc364

SHA512
87fe0b1bd129261caa0fa6287c038d1a53793bdbdb130bd3333ee620d9f7cc0285e5876ecb9285b2fa5ca554dc8813fe72873a37a90131e74fb68cada25cdf08

Download Submit
C:\Windows\System32\vds.exe

Filesize
150KB

MD5
5a88db8e571129faaacdd4c55b781f30

SHA1
20fb02a436ffd2003ee098af7437448702ce146f

SHA256
ba4a869f127b222a8ca18c016e7a6ad3f40181b3a673456cf60eca52d9b53457

SHA512
bcced8b86221829e29895f0f670b1d92d9d30ba9dd794c43b0f36a655e03fe9613d79532a026745f1253f6bd1dc173d1f4ff8c0260ec45848296b3e2a4e762fa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
54KB

MD5
52981b51ed1c09cd8cf8a0cbf5ddd7ab

SHA1
3d2f05c920ce41a9eaad12eb7b1ddaa41822fe79

SHA256
8b949a315e32607ecb978673d808610e845938f1610e71552c8f6e1270742d7f

SHA512
b7bdd0d60dbc566fe24baed6025def4ba933bc663a406a3867b06a5eeff61977883da3644fe5a8803fcba42332657b41bd1f708333372ce4561f364c9531bbd9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
211KB

MD5
c4d025467c7b1faec865275d4ef60e1d

SHA1
e34e1bb2582001d42cfa53558a8292457561d53f

SHA256
0ba8c07a37d041cbb8f133315db70e4682154a9165d49133914738eed23891df

SHA512
4ea638a312c918ba00067d65ade97760393dd8e94334765fc541e1fbc53ec4b8c0f1691e12285ab1183b3b71b8d6be1420c04cca42c2fb6b495ddcf72d605099

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
83accc18d310e90fa2b0506637cb0dd9

SHA1
f287e057029b7ae8a0e579d361abbfa061a46e97

SHA256
1a05a07f1405e88d39040b589086b4110e054ccd88575cee9e6f1fceb399ada1

SHA512
02360f26fae07c5f14b7e8ce3f26b4b4c0b1455304f2668680fe671330b752d7bac655b498300173db95137c5ac9e8ec218552c533f3cc6afb1a2c08f0aeaa82

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
365KB

MD5
8404e22c391d3ef007b96f7ed2b72441

SHA1
a110d81d633350321f9d012fae63ab39bc3a9b7e

SHA256
fe25efdeacef9c5cc7e2c4c32f562faaf529bbf671387f970b1a03086b3d48e2

SHA512
264ecc7ce8f294408f06493cbc9333c45de12771a031dda328d2e7ee1f1b1c5491229fdab5753c5a6988cab2afc6134528ce2b6c19bb5ed2c7ed0ac2b64f0d38

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
494KB

MD5
ddc3668636d808a20ee75b7365d13fc3

SHA1
93519382fa4911d11980eeaac159e6eed9bee55f

SHA256
a4faf3e66e1991cea7c9fc5e3641c2eb2b50d83b1033b6694c18f6488a465ea3

SHA512
770f0fcc9b5ba2883785e37fe8c0d2bf17b1c816590e0aaeee86ed97365f92cb8bf77f9a5618cd739eec2a14b2ef674b1014cfa5d2952564e5a371d0b13ccc0f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
334KB

MD5
de758215efcc1c79bd0ec96d2aedae15

SHA1
87810ba98cb4e39345434a546322a6fe7ad7801d

SHA256
c3e3b9aada17be4df832b52474ede71edfd37406795312841018a2a40ca3dda6

SHA512
c47f9b3459e3228ab573624156f1a29a3f298b437f4d4bcae693187bf0120357e1d61bee977eda47a0449c84f3609a3218c993d4b3f8f0e1c181b946f0e34345

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
343KB

MD5
11b11051ca3909a2bf12ad20c9771fe6

SHA1
62b73a1674bc3b83010ac623af096923f63fb389

SHA256
bfdb99f53c2ed3a273348d4ef3d2455ef577713201c93cf6e72c198d308c54d7

SHA512
aa9723531517e58bfeb64d24a869d901c8300496c9d18380d4d1cee2690791afc4bbf4d94e180676413953734704f5c34864d2a72155344ea3124270d8bd6900

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
381KB

MD5
c695d65624986a42a8923d12f70dc67e

SHA1
9f94b054806a863df2417aa660cf29a7534d48bf

SHA256
6c493e5ebfd5a6a3603f92f1603187c3134a13f4e9dc54d7a00d07f408363202

SHA512
5f5655d953617da4db6aab4e00d41d7e6cbf6b1cab8e7209ce88badcb8cf5ca09cf487d1c718f61ab8d33b248e615da71c656712f8034a85cac245adbae2965e

Download Submit
C:\odt\office2016setup.exe

Filesize
344KB

MD5
94c9594ef2ef598cbee5f180be9de27e

SHA1
d58da3be1eeddb82dc42607cda35d7869e8f70b8

SHA256
78afef8c3bfdae818937269cb834543a4bcc3f2e8f8714184641bd7095ba1d14

SHA512
e3e50fcc588e310ac9a09642800f84ca93a28541a462cbaa4a96e0563c82983d9a85106bbb53191461dc1ea81842db8cb60876f594dfe50a77fbdf2a5602358d

Download Submit
memory/1364-143-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1364-136-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1364-214-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1656-128-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1656-127-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1656-118-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1656-112-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1656-107-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1772-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1772-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1772-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1772-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1824-75-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1824-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-63-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1824-55-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1824-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-365-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2268-286-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2268-278-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2488-239-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2488-324-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2488-231-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2732-198-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2732-192-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2732-258-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3248-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3248-68-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3248-124-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3248-74-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3248-67-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3280-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3280-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3280-44-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3280-134-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3680-18-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3680-76-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3680-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3680-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3768-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3768-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3768-254-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3932-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3932-224-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3932-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4072-243-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4072-179-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4072-169-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4132-276-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4132-210-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4132-203-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4524-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4524-39-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4524-108-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4524-22-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4648-163-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4648-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4648-229-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4944-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4944-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4944-25-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4944-7-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4944-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5060-352-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5060-267-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5060-259-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5308-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5308-322-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/5308-315-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/5308-301-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5516-334-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/5516-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5516-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5608-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5608-347-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5736-355-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5736-362-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5836-368-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5836-375-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5944-392-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/5944-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download