38a103032817f57355815e67a33c8ed2cd9f50f5c66ac934390126aeb41af25e

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 06:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
Size

5.5MB
MD5

bf1845026cb505a9c4d67203996bf923
SHA1

db9e957dd7dd7a4237b490b5e8b4da225385de1f
SHA256

38a103032817f57355815e67a33c8ed2cd9f50f5c66ac934390126aeb41af25e
SHA512

a7b3ec1968cc06dba6361d6e6a32edf4313bf8de979cff1b2e39bb0723d4de6055f339596b8a8aae106cd4860c82d479382c2c343c026aaafcce81afe9bcf57b
SSDEEP

49152:GEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf0:8AI5pAdV9n9tbnR1VgBVmrD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4224	alg.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
4112	fxssvc.exe
2152	elevation_service.exe
5040	maintenanceservice.exe
1160	msdtc.exe
2792	OSE.EXE
2184	PerceptionSimulationService.exe
4100	perfhost.exe
2508	locator.exe
4700	SensorDataService.exe
1808	snmptrap.exe
1576	spectrum.exe
1124	ssh-agent.exe
5132	TieringEngineService.exe
5236	AgentService.exe
5340	vds.exe
5456	vssvc.exe
5596	wbengine.exe
5728	WmiApSrv.exe
5888	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef3cb7a4a5bf65ce.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee1265dd6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004df8deda6a56da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2cf15db6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d6754dd6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c561fdb6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133514155747201109"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792405db6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063addedd6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076feecdd6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d13a07de6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e430cdb6a56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
376	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
4192	chrome.exe
4192	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2616	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeAuditPrivilege	4112	fxssvc.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeRestorePrivilege	5132	TieringEngineService.exe
Token: SeManageVolumePrivilege	5132	TieringEngineService.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5236	AgentService.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeBackupPrivilege	5456	vssvc.exe
Token: SeRestorePrivilege	5456	vssvc.exe
Token: SeAuditPrivilege	5456	vssvc.exe
Token: SeBackupPrivilege	5596	wbengine.exe
Token: SeRestorePrivilege	5596	wbengine.exe
Token: SeSecurityPrivilege	5596	wbengine.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: 33	5888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 376	2616	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe	84
PID 2616 wrote to memory of 376	2616	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe	84
PID 2616 wrote to memory of 4672	2616	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe	85
PID 2616 wrote to memory of 4672	2616	2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe	85
PID 4672 wrote to memory of 2132	4672	chrome.exe	86
PID 4672 wrote to memory of 2132	4672	chrome.exe	86
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 3112	4672	chrome.exe	93
PID 4672 wrote to memory of 664	4672	chrome.exe	92
PID 4672 wrote to memory of 664	4672	chrome.exe	92
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91
PID 4672 wrote to memory of 4860	4672	chrome.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-03_bf1845026cb505a9c4d67203996bf923_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7e109758,0x7ffb7e109768,0x7ffb7e109778
    3⤵
    PID:2132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:4860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:2
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:1
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:2408
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5048
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e2fe7688,0x7ff6e2fe7698,0x7ff6e2fe76a8
      4⤵
      PID:3268
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:3220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:8
    3⤵
    PID:5096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4004 --field-trial-handle=1892,i,2620488538509023519,539887870416122313,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2572

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6e2fe7688,0x7ff6e2fe7698,0x7ff6e2fe76a8
1⤵
PID:1336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5800
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
299KB

MD5
5170b886ad29bc2fb9783c8829019733

SHA1
05f2d4401029d60e495054c39d87bf162c0301fb

SHA256
585e645c3a1ca1b8318e8ae71e75c5419f2bf9395571fe3df61906434f1678ed

SHA512
2995ff77b70aeeb9510a291d6fa1a4d68621c2dccc34b6dd7924b2b8c926f02108e979321ab078a6f6ff17cf920cd39dd30dd45ee454b30d8c00ea8a58a27e05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
3e8d892940047f08726fc694b63b1323

SHA1
0035ad20cf09fc3d8145e74f623e5882433e6e8e

SHA256
b0f85d19d01fe2d408eebf8b39f082d4428163a41444b7d5c4f87684cd8f82fa

SHA512
f1ec34f5f7880486aad0dfac2442d983ab181e034e12a2357e3dd3dcf00e91c03b13e25784745bdce97f48ac4834fce70c4dfd03e679b37eb77968849de5f2d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
209KB

MD5
f4693d6818aaa4b750b33a840503182c

SHA1
bf332d3765b61df93e5087ef1fd6195aa479f1cd

SHA256
713c7845f0d0aee77a0927f979318ccca5d1efdf90b94eb69bdd6e6bbe9f2b59

SHA512
ba52e108ff35b53f1415f221e0b8e23be0e14b72ac0aec26deb3a1b85ab863b3cf9573666607eee941a80a8f16ad3326cbb8bbdfdaa1aa858ef2dc0ec2d6c8d1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.3MB

MD5
d0c22527bb5e13d79e961af08ac6b703

SHA1
2b3eb61dcf65ccfb8e5d98c7c1772f2f9c08938b

SHA256
9b4ab481eb6b4d5f8b9a8fa344919c20efccc1ebd44cec104beed5d9d99893e1

SHA512
ed71d3f2704852c92dc72a972eeff04542703b7a5a9666263b5999ac53ad18207e023262fb5d1e10432b2b9748c5f830b9f50652a2799c4568ef17c9ccedb455

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.0MB

MD5
df34db4cbcf93bfc8a850192f8bf3c7c

SHA1
67dd2967155b8b9049c68be0065e1fe77204f71a

SHA256
fcde1d453e6485943e0f435c34c010d907eb4a7e6af7524f1b32e5c104fe6ea3

SHA512
618f7f0f1b26240da1a9d5ab45e67f9cf03657bf4ee54959f6f390a898a95282714e7bb4f9d83e605e397d15e53b95e15fef7f2744e3119887a6c1fceb933f58

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9bf241c6b72e026b71600bd79f5a3823

SHA1
00d1d006f511c6b52c4b2563107858bdf83dc483

SHA256
b549ff0f1a1054d5c32db4c534affb917aaad5e9b21236f520a687baa1af9ced

SHA512
f1b3c21b8d6c05cf33a27618f39452a4086a2156893909a20e0dc1e7bf9442170d8263582fb846a5d179b2d03d30d0cb05036a6caeee7d286a6f7c478ac82803

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
9c37567a2191756129b3b8af05622dc7

SHA1
420d5be58f4444f73126e54bfe2d55f43ccc3ee0

SHA256
eb363c8852ba6d0e75e87f6cef2138b5dd4bbdd2227439281c42658a526cfaf3

SHA512
02267727f25dce68f469ed5c7dfe92cd456487f718606d7b643380edc58d563182e5bd88fac661d199204c07caba4afcde3130605027e7ebe418ce10e89888dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.2MB

MD5
c78af9cf75c7c90f7e48f113d084542a

SHA1
be21ec33d41594a9f956e282a830eef8c5b4f461

SHA256
087a56deb72d15d5df7a39f7451646ad7fb61bce5e75c811df118780a45b7d9c

SHA512
93dfb0822f25859db33754f8da322f5ebf7e1b1c48ffe47a46fb1ffe30ef1a8ec0a5ddb04d4318ce1d8f31a661972e6a1d2a5032eda321f21037bfcf5a417fbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.0MB

MD5
d5a01f02cb68c127b5ef363f3ee0f77c

SHA1
07ae0b010850a07b243b558aa5a9a48bf204292e

SHA256
4f0f727a8e1d55d9cdaea76fac2108bd6fa485c4055023d1bcab2d11591ee456

SHA512
e850d4363101bbf0948358bce616c2e2a1839122762aabe6fcfdf474f6fc867c1a35feee197d5952af1b0001178c00fb6e6b17fe650c63e0a0ed2bccfa3ca5b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.3MB

MD5
5ec904aa14c96741b5203e390554198a

SHA1
71d71506bf6a072d4faf7eb901512d2aac325180

SHA256
9069ec7f9f4430c36a91cf3bf9d960fa168a2f4d7072e02264fd2ad251e26358

SHA512
3cf6b1977d9a1242517604322084d85bd91baaaad0d747aebf5c07857381724557c35ad0cafc58b7455f2c2b017b05e4facfd5045295823e491f09215241c15e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
804KB

MD5
7a5d95bba3870ecce60fa1a40bc93e6e

SHA1
5f14ed648aa934e4e0740dee1369d60e2076bd7d

SHA256
c7f0016fc29fad197439043e0b76687cf48e4db36bed7e029a98d171d9fafb1d

SHA512
748fc5f1fd7d095bfc5a9dda88a052b11807da48a11ee263003438d8602e7fe6a01c82053924ee252462c86119b916fdacc217a3e608ced239b27df71187ed8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
6754e9279a3b0b1df5b3e22b4f70a275

SHA1
e02d16689e6fe3da96fb70022558c5d86a07de19

SHA256
6b721b94b3fb53bb18f5e3c42a98fbc9326b86b49efa8b845fe39ffbc8e19f87

SHA512
429d43e8655339ecd7a8770ba543a97223d0be997dd4c983f426e13bf81e6f00b22942a11d9e36ae3ded33f76942f5b5c6dc735641f5eaf7ad88cebf3be4f654

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f58a66b3e1996cda3856fa30bdd9354b

SHA1
00d5123afb982c6b4d9e234116494462d6a45799

SHA256
be588acdb47a658563a36babebcf7b4e221d2f58bf18b71c5111a3a6483d87e3

SHA512
c4a9a5272257490d5e73aa1fbe1266ec27984532088642f74630496a4d30020731180e7e50249fc34d8be0dfe0d4f2e9ddc0c980b122b90a0dc809778ec41ec7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
149KB

MD5
58d4c0a405f003f5a5d51d6f4b10fd3b

SHA1
6a73fe0a255efc3df449811dfd866b70c04ceb1b

SHA256
cd124fcfc36ecc1dfc3c1c9902421f4a9963d52053a11fa4f5067a1ded684092

SHA512
52816d8aa127eaff655c114f437b55e5c4ae890a5b8acc49440d97046680dc955ecca411af8139ce7c26c0beae94d2ac6443f746102df13c068e1adaf40af8c2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
690KB

MD5
964f3009fd815fcd93cc8c917ecf5798

SHA1
092e24d41cf767518c0ab34a75ed9c18f1bb14a0

SHA256
f0c1c1d26fdf96d11ed0676d697a345429d0570c182151d8733b8d27d81212bd

SHA512
4e854389e08b73d00080a1c3ae25d520d4763f1ff83e17635886ef351c12ee1146a6df02abb8b02a97bfced35cc7f93f2df22a43d11a0d4a6392eaaf48d9a836

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
860KB

MD5
5d32f65bdfb5b1fb1b6fc39143fa333d

SHA1
078aecc9ee88c2e3e4c025a9489e393c96e06f7b

SHA256
c24d87c4c5ff8e42a92e3d2735516cda9790bcd2554f3de05b5108edee2548df

SHA512
b126f2d3ecbf9d01c58326a9969199832cb0671062609be18f98dd4469fa0b2c04d0b9f56cdfac2c063eb905f197c1f6f881962c906cef3cbdff594919e1d612

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
687KB

MD5
cd04e0189377a9daedba19797ffbbe6c

SHA1
729f44a71e82663295be31f374972f49d680e09c

SHA256
31c6a84f180c4d9cb54d31d391105a6356ac8cf96d270438ce10a1d18e3adf4f

SHA512
b3706421da03702bc83145b2b1be0d334b446578cd802165524c7c55ac4a423eb63a2f4b5d282c65097bc6d304b080ede287f6c62937038a1f6ba218d5ea544e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.1MB

MD5
7865ba00e1362aed65543df17d3d4286

SHA1
7147a0ee2cb765377f1a66311f4f7c942fdc08a4

SHA256
a070cc7b6890f281bfe7ede50e41a8ec22344a39959dc028ab674d7e48833bfe

SHA512
87e62177ae9ef56355bac703f90b34e36492c689fb5e759d9dc284299c673b2174097ff89bf5cbdc39da6485f4dbdf49d08280eb41f910a41887e808afe86f79

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
946KB

MD5
1b33957526bd1b83affe49320f111ed5

SHA1
981db4b1d647da43329bbf8b1c888876847feb9a

SHA256
70b423d0a2fb2b8900626668199ec9ea6efeab286b1fe855878259f9ff9fde5d

SHA512
d3e34362859c02db19b23bcf185b1b0fe70251cbd78aa7216be1fab08ea7a158469a79ce892510c4e5ed97d36c952f5b381b38518d98baa24e679e52d390b8b4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c8e6a144-ccb0-435b-9587-25376d70efd9.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.3MB

MD5
e102c89e3fdb2080b76f37c30f54f5b1

SHA1
a7d624b830612ed69a524e9ec3f6cea30d24dcca

SHA256
b7b6041daf888efacbb3989f3733d91782f47c64214d0fc2e7693fa44c742fb5

SHA512
ff68a10e4c66e14d17e5d29238bae164b960a75c6f19cc674759a2bf191b9822b93d4feb00afe064d810d612ddf2b55d757cc8096dae4bf53c95aaaa09ff323d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
756KB

MD5
a4cc1493d9e67ae6de94663610521e76

SHA1
2774de96a8c5a36ec461ef69b537e41ccae19787

SHA256
8007580be30be736565cb65b9168873a8e2c175c6ac3a16be7a5f7d7d2dcc662

SHA512
2dc775f090d41856c0783536a03a35ad568dbb02cde312565cbe9f8c4cab0fab28ca7cd323d3ef13d5a4edd494bf8e0c6beb5ea125795ea630c5e419868f4192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
11e5b848083ca1c7c3b0b6e38065d219

SHA1
8c080b8fccac5b53c800ca9f28557998832ef7d9

SHA256
2602060f155395b394b10929bef56a70f94a85c94cfcb0a219fd4a5471a08b4f

SHA512
b76a646a090a90bf0146620b8fe90e0c77c567c2e2c6e35ad2bc146acbae9324e82afabe6cd2e42cfe267ce49d7bf92fd5022244b220083bd6a5b8c9e37c47d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
5KB

MD5
51ad001a8b3c615c25a487c16c16dff9

SHA1
a98916379c8d7cba05d90b4c60262baa3976a4a2

SHA256
11a60893f3ba2c2775863f936836610ba7b5f6726761c5b2d436a64f37ce00bf

SHA512
1a08bd739f0f9ae76659eefe3ebb0a734f1746feb231313f51e39b262b78ecc78c0ccf0b57adf1c24132bb935e3a810a5b4e8a084d8e14dbc3407a19b481c4f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3430123c6eb96186fc5300c2a660f34f

SHA1
e68f5d6a70f7cf2758fce943230048048f883a0b

SHA256
004e0fff0b73f31f58f9d7bb03dd4a7333824301dab0fc682d6ee40a5dcf579e

SHA512
7298733e772352ae4cbbd84348c5704a5d46ec25c686f4cbab5fa78ef8307c0afde6e8f9bd87abce03ed8314c4b943ab494c953ec8a431eff26c5be7247e77d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
5f165d1b15849339b57f683535fffd9f

SHA1
0a41e5a1e0e4e2e246eb0b6869b109d5ae219bb8

SHA256
1d256af0e1612b6547e918d0c730f4074812af92b79b87530543ccaed61c3ba7

SHA512
c68d93faf023a582a6f63ff67fdcace32504926c9560194cacee940ace60f74422824b8395c473e745948f4c5227c86f2eb0812869c601890a7d842a20db6cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1b08ce2e2e726bf291e34d9e74cfdfd3

SHA1
72a0b0b81ef82d2213ad1ddcdcb6b692fd4a66b6

SHA256
3cf6cdbd13a992e367d4ac5080efdd50547e6355f15fa5beaf0582531d60e0ad

SHA512
6791d263283a05ecad8a99046e09a3015e83d05d4c2a7107d86df0bc1c0cb00d1b19b2057896de67326d1e166cc9364abcd486c1a8c9f7162bef3544b21e51f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c56437029a3bdf17d85faf27988b1016

SHA1
1dc851a1e7752e1f4fe8f6d2aee0e6e73bf4b89f

SHA256
62b45a081b7eed4861011a90c652c6d415b3e58c0046f77d4ee321470043bb22

SHA512
e2361f7daac2ea7fb610336d199db13b6472df66ff5eecb4e97c1e317217e3f453eb8daf69bd218ba46ffbf572ec32ba423e2b2280e583f4060ae864f533b768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8cd965013801bd706037b12ae627f003

SHA1
3f65bcb95286a52baef86448e22cf715954d87e0

SHA256
f37dfe4ba214fa288202f6bc6b0433bdb3b86c9742f8fc1ae6518fc6ee11a28a

SHA512
9a7429f3df645945b13dc84a6bd0bfcb47aea68f9f0a69bf04fdfa31a34cf897b9a973e45972d835ba499133d796cb8e0e331f139b47c3cbd14b2664f116fe88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a4db.TMP

Filesize
2KB

MD5
616a76605469f13695028f2073d527de

SHA1
4747806ef70cc3f1dc08a82ff337f3ef5dd3fc6f

SHA256
e71a0c8518e42b16fc405f900e766e4f6af5aa83a0caba142f7b1fe822ed9eb9

SHA512
60761688a911f57a0e328d87721e14e2635fe7f58dfdf7fd2381725a48621ff36e6f2e274692cf3b9327782876af60239f0de37fd369ca689a1dbfd5bd4ea467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
100329ad2e9141259ed8666ea0935dc9

SHA1
a89761a3b56d7955f5b638bb8314bc2fdcd63c8a

SHA256
7dffff9e4da8cf36a76f402d48c45e0f5c806d25a11d4f93034510899c988211

SHA512
a5f1a54f9a79910b89bf97abc621d5d2ba7e4bc93660d10df093b00d53bb082ce439816502da165a00708a42ad75b0ee8f2567784773fd3dce5e5844faf06c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
23KB

MD5
a2e46dc82683a00ed8e3b8def28cec62

SHA1
105c3025c033f095218f425d4e1f7c412f9b6e2e

SHA256
5dc39e7d355703af1bc0b0974adad4ded53ca82854494d2d4c3dbde2631f188c

SHA512
0136e3c5d6e29a3c8aed602032e6b1e9e0bc6ac47965f1a61c1ede5a694ef2fa0de7052035b23f2b725a985cf41032e1b4004881b50a0d9ca6e45cd4f35b8652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
bd294aa2b0dca56186563c7ca5a776da

SHA1
22f10fff2bf27dee035ab986d37174dada813e1f

SHA256
89b79898656392a0ec2c7e597ab67401675d4879d3a3ec4296d46fd1b640528b

SHA512
b21f021d7ae30e13d3fc01749460f4eb5870eb236524ccd45d73a12afee03fa96e135961d39fe546a89cea0c43c604c76aed2d54472c09d386a2d560d8b7f1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
a74fa2c99f634b495688d3a9f7216242

SHA1
192cad78fe595b30534f165413aecbd8d26bf5df

SHA256
516b0858c212dff8a9a686982c983af6c6f10762045bb274c0167d492763fb4e

SHA512
21ac979839ca24df8ca9c07d26d71998f72f41630a949594392e925f1f65483b0523ae4ee4af981ab4d29a8cda9595991f8b8b12d65122ae331f3558cef4080a

Download Submit
C:\Users\Admin\AppData\Roaming\ef3cb7a4a5bf65ce.bin

Filesize
12KB

MD5
985460317ba80dbbca2ca001d3adcda3

SHA1
41176424aa03bb27f0d7c6d3c436ecd4d240e2e1

SHA256
ffee2e0568eb253ee110e8a95140782a8ce45249efa7ec1995c0a2e6d4bd7ce6

SHA512
af416711f636c935b8235394b85f5ae2c463466b74e9294aa9d9e5bf2a69136b82c5a348dfd02d19f8ec0bafacb449add88a27eb778f5eeddba96b5867c4f754

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
44KB

MD5
438910a806a0ca73b83087f5cd1b181d

SHA1
8807fce2423dd07cbe359ac1ca10c5740708deb3

SHA256
e12f96ff7241bcc17d1147e1e02b1a9700432127551d094f67e69f9b7861df96

SHA512
608d3b0b910214953f759acb649059449a971a07164d9d844b35acbea6840bfa1557acca5ab7fb5089c1453e1209a7b3fee65cbc947efb0db188bbd41b56fbb9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
18KB

MD5
6c5c9e51d097df5647da906aa471103b

SHA1
fa4874d18d58ff1b373ae4f64f74c2753b80eb84

SHA256
cf341848a37bffa06292c2bdd91aad17f960a06be039e1350bc577ed35a178b5

SHA512
9409e98eabc68f6b09ed77faaa893f0763ea04206b266050924356ea29ca7c3efdcdbcc77b3c5af9b765764348acaf25c66b3628f260283d6d138c19a4d25a76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
341KB

MD5
a9f1a389e5beafa8d7bd32224452c762

SHA1
2b1940b7bcd70bf009b614ea3df7e371f17078a3

SHA256
9994ac6127b8e5e4482f856e87aec5b38647442fad8b73c16b7b696bacbe5bcc

SHA512
d6c5eb54d496999b572504a78e406f7917361fce164766f1ba896cbe12321bd8a7cbf457e358d95944536fff3090fe52dfe826d928a43dcc0c6f488e174dd82e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
137KB

MD5
06f59e26ac7522a392a5e4bbeb254fdc

SHA1
8c9d2244a2fa09e35d9a874dbb07d118d52cc82e

SHA256
78eb84415cd2447d0db4d97ca276134d659dc2fca1f944017835dd6a630b640c

SHA512
40bc996f2236ad6eae9ac66a23af46b77105ef8acd8b1c25f69d6ee570bb20d55e774eb6467a1499e113e59e4aabb2b7951e7ea0bdd8e17c61bc68e7873c1dba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
48KB

MD5
cfc197f2e0cc0db657610c98466f13d5

SHA1
2266e1fd23240c4ed29de7da66b14863232c592e

SHA256
ad1bcd3e458e3d9c3d3efa600e626ec1b1df80402546a4d26619636956280b51

SHA512
5597c81bf37458d43a5ad8e7e2ded7ea8469025b2ec6c9a603deb0f6cbc99135c319664546443f63dc21ff89cedbe0e5c1fce407428b310a5e54a6cb08c8390d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
76KB

MD5
3082147b5099b7a23bea5a6719e946df

SHA1
87fb686c37542f5bd940ef547d6d2a0680e414bc

SHA256
862a8f3dbd1e2854e9dc924d06e2ab73d4281d1e88db68856d7ae0801d55e1a8

SHA512
e1482cff2b364e0cc9c4d605a074d76b33f788e1b0fc79bc3a4e4e06f4022fac6d0c8421da8e3d07d69b2e3b70b6faa0c94383b48fc3b909eeb37eec43c5420c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
45KB

MD5
e2b4e9c717d97f3ab4ac3362c1a25c3f

SHA1
b1a07c64120f3ada3be3d75050e00144707b65f9

SHA256
fd5ba71222b74fa24fa212645b9a2c103bbf927d3df892457a756792fba6acec

SHA512
bdff4df8957b0477fc1509145a2b4727ebc3f3e7be5624bf17d34535e2544ac25df838d157ea3ee1dbf9e2257c75120675b4e30e100ca8f55b7ab21d89f72c97

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
120KB

MD5
e394d67eccf2d8501214244c1d46e5fd

SHA1
943e64b6b06b1abbe7efa9c8d05a65865e4733f3

SHA256
3e331ffdf242aba2eb97b9e2eddae5a916d2ef957451af62e18cd738f0236af5

SHA512
7094a8bd23e1d222fca9659d461164129851f9f81a11975c58cb45160e85569bb74ade9f737319aa76fb3d57071767decc9e45704124ba144a9c75e55ff4dbc6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
8KB

MD5
98ffab2eb5681152402adbfd2071eba7

SHA1
3e3e2b8d2f3b30255252d8cfb232f42a919dd458

SHA256
27b287c084bd6986a1f4e542043f9f9528337ee36fb0e9b35983446a553670a7

SHA512
78eaa5def5a4516987cd4b4fdf1a336241dd5059b3e5de5630415ed9309b4b211390725ba83c6ccace110b1260e70352cd0873695aa73118b75fa9316d3262bf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
27KB

MD5
142f7191a1d618852dddb51a33539fc6

SHA1
29ff9fb9c8adb09bf2745bfc09fc28abd5e80155

SHA256
5f9daf41c37109aa5e0f57be545661775357279b75192281cb0595da4fd5bca2

SHA512
8f2cac071458113aa5dadf63ab6d1a61aee1740e3f36109b844e52cdd76edc3f228e526884a83caeaee46b11fb740d9f4d3d731f8b13e21d3f1ce8e5bf979e24

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.2MB

MD5
475d046de810fc2268260a6cbef37fe5

SHA1
6fe31c537f8b792a4c47e876260ccb1758cd6b17

SHA256
80cd7d73f12070452347dba5b9f0d67eb20d461977465df817ab0f2718e957d8

SHA512
b8647cb7e6bcdb6ee1c8b84ebd8bbe7e50c57f6833f09e4831be040d265168f12343b1006e9ed3d42f8055c491b5fcd50d2478a61234905b9bad12e93cc67ca3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
98KB

MD5
a9342ffe7b937b561becfa8166fd80d7

SHA1
525622cbdf370c35aa874de5948cb6c5679d3a60

SHA256
27debbea76cbfa3b85b5bce504097ebe52cdeed1726154ac5616641f7add255a

SHA512
b3725c24d3bb8cb70c3b6ce2f687c0f0621a5b72b0af7592764cfc031eba8e481f5f7bd2ced09b3d0736cb2d4924b73a2087469ff020851220665a438221f32a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
29KB

MD5
37053b91b1c1ccc0cb1b40fbc6990171

SHA1
fb753b35e0de890821e3d78a280c9f0fb33ef34c

SHA256
02cce665ad053fe9f2983284b9ad506f9e21ef6859c8ab00d15e27d96e8c8dd2

SHA512
d790f49edee789a05e84ccfb68a4a45d18d51d08436004a8ec06039cb0a4d002c7193b071a199502672d29018a0324acb009cfb587481c7e5e8df1cf1e584c4d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
26KB

MD5
916e0eadfbd549a523e0bb5e849c4558

SHA1
35f3b94660173a08d5187e82ac31ac1438a36149

SHA256
873ef7f3888feed8308fb91eb70f57543ef4a63bba3aad1f69facc47f89d76e6

SHA512
1476e9697734808410dd67c9c1b9db4b80e44d5cd1aa216188ac4713cdd664d0299f611c765447bb95fa57d0a8dfb158686fbbbf20a93ee7edf9091f6208eeb1

Download Submit
C:\Windows\System32\alg.exe

Filesize
603KB

MD5
0a14450f7a4bcbe2dd27869218285a76

SHA1
a57b5b3093aa6662fcd49e3b742852d711f7caf8

SHA256
f609d01d5c17ae7010d2ea5cfa394c7c770c1440eae030706ad784f93c3b4c38

SHA512
52787fdeb1bb37b1ec4032019a82f2e1dcd112401f060c16185d819969b19b48e8d272d8e55c8d9e929b552c0a438f5221abfc05977d93e8cab4c4f918b7bc24

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
21KB

MD5
b63e1b19d060e3f88a6ad886225109c8

SHA1
99ebb83f47569600c523136c11be26de4e3da9b6

SHA256
b2eebd0c4dc8e3d63548ae5bac3a78cb70eb823de1646ce3a3c421b2f9431260

SHA512
1bd70064fb62dc3ebeb47ec16be7acf11727fbdc829594e28acad45c1311d64b12d637c93abf7b8e4300ba4bbb772cbbf87b947302a91a34a80962a0695a8167

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
5KB

MD5
9f0ef97a4a4360f5e96ce9665363bbad

SHA1
48ffa516fe0470ae89d07bbf9f0787441761edbf

SHA256
b2a941b220a1bb167592441b78d38c09e6da65ee9a528bc093ed486ec93968e2

SHA512
6342189f91fb78a3f6422d5c8608a5ee16a6eb67c0667e9425ce9e83a356e17c6234ec2895760084a690f86519cd68b960d18d90c3f0fa5e9eeda6c6eb27d947

Download Submit
C:\Windows\System32\vds.exe

Filesize
77KB

MD5
ebac5387a46fbc20dc52404d42075a2a

SHA1
c197e7620376167575661b941d035d9393b6ad91

SHA256
897d8610c32c2b79853e044390cdb6e4d7cdecf3f60de4a585a34551e55bdda3

SHA512
aea22813a002589c9251618821fd326ddfe1f5a3fd86388193b32224079b145d6a56e2afa372a94f3eb46a3adb1e4ec67540af63552470110f4af9f91b70ad37

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
30KB

MD5
7ab021f1097ff9e7eca1912442747c93

SHA1
7cba0fc467eaa07e62920c955db217343deb4715

SHA256
2ee34d18e451216427ef2126e5716d7285285adad8d466f1db85a582e50e6b95

SHA512
2e17a1d3f902cb6fefdeea5fb7e97b917e97aeb6e8331d4a87a8fe23e159a13393734c63d3a275433b0ea418d3cd1f6f96777101d3ec5e8b8631a1cde6a3f329

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
64KB

MD5
cad5ea84605ad442cf94938e10823408

SHA1
e647802d6665a297f52a59393697e46b02cd7ff3

SHA256
c145397af10e12c6908cef47043604e251f95077000361447ab97547a6477d88

SHA512
9fe8adfad1663b01557e22c39bb4b4a96d8b75ef6a33b5601e9f0fbc0dd85a972f4fd473f4619da6288fd1c2911119b6332c9bc724f566ded7ed2b33b3c41157

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
83accc18d310e90fa2b0506637cb0dd9

SHA1
f287e057029b7ae8a0e579d361abbfa061a46e97

SHA256
1a05a07f1405e88d39040b589086b4110e054ccd88575cee9e6f1fceb399ada1

SHA512
02360f26fae07c5f14b7e8ce3f26b4b4c0b1455304f2668680fe671330b752d7bac655b498300173db95137c5ac9e8ec218552c533f3cc6afb1a2c08f0aeaa82

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.1MB

MD5
ec93f35c8db9aaf64d187b9b262ae38f

SHA1
ecce924bb51b96cd41a752fabba3b3da1ec63b8b

SHA256
185fb8be861c90c97ba41c2e9052c8698eb117a47bf6f5b504db16ffb3a7c257

SHA512
90ab0a732ba78b047126eba9ce08e00588dfd2c84d5e380aac9660255761e8d8d41b69d9abfc74294fa16e52f0bd33ae834eb5ad9fc1d8fb7e07cf72aca2c1fe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0f4f588bed943071885b5dc4896365e2

SHA1
92936df81a98ea539f292cb4a904eb2aa7b036de

SHA256
156dd8a36f107d26273d857678e294aaf080bc808f2fbc1461ba013981e26210

SHA512
58987c3e90db709f4725df0ae8c1c4802e67a36e23b44ba32cf929575b117281e32c2287ea3a55ff942571ee17abdb1dc6e5de526636ba0c12b598c6d79afadb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
998KB

MD5
4ab8af5492eee287eca414f4e973f9c2

SHA1
f1d0babcf9066d72f5a148f6406cc4e2c56135e6

SHA256
c2f724648133bfbb4b04ba1ccea36b62e4c4ba04221cefc1d0e31d088ef336fc

SHA512
a47f9b5d7a70862906a578ab10b232e6cade44bcf6aca9fc3854f6b4c999389920c50eaab2b5ae117efb6a01f07c1f5ca689b2e16278bf8dea6f95c4851b5cbb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e4ebfe29a1aa92823e40986a2a82b0d1

SHA1
8ba6eab2d36d7abb41237789ccb05f870e5ac3e7

SHA256
8e611fa99f5ff9bb3d687b6480ae9f7b8713f8bb1a0fc9e742972af5a0f68ac2

SHA512
665e83c49649e9c9006b34397f6648b05921e3c69a44074031afaf666b5025a883e5ecd230b28839eb4a52574aeec0f9469c7c0d639d11a83b5711acb45d4b72

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8001ff43a241405015eb3407dc25de96

SHA1
476f62b8a0c85ab62b79722bd250f0d6196fe3af

SHA256
84af31703c9aad9bba8f4992cc2ffb1d36306d7795440261746c786106cb96a9

SHA512
c8825610b802269ce2df9bb2b60f3e70a1104863cccbf4a45515736b31d35949e704d6dc5ccc488c843f2e20295b177aa08495f06188d36079033a1e09ddeee3

Download Submit
C:\odt\office2016setup.exe

Filesize
1.7MB

MD5
93d96c76e8cafa7dd5843094cb745758

SHA1
62626dc29accaeef8d747bd67bb1e250398ba9b2

SHA256
97eb401a91ab35352445488c9a1c509dacbf838722deb019d640370cebeda790

SHA512
52f1c009f448696dc94b06ec8294ff968432c9f4a1a008f6b138eea5a0d06f38ab23afa294b10809d72082b225b8d85ef52295534a98197912ace6bbdf565fa1

Download Submit
memory/376-11-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/376-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/376-100-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/376-18-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/1124-326-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1124-266-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1124-257-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1160-127-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1160-118-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1160-194-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1160-117-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1576-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1576-248-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1576-322-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1576-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1808-299-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1808-213-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1808-222-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2152-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2152-164-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2152-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2152-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2184-150-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2184-158-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2184-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2508-178-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2508-269-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2508-185-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2616-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2616-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2616-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2616-4-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2616-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2792-219-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2792-210-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2792-138-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2792-146-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3556-44-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3556-134-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3556-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3556-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4100-165-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4100-173-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/4100-256-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4112-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4112-94-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4112-72-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4112-78-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4112-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-39-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4224-27-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4224-24-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4224-116-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4700-580-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4700-203-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4700-196-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5040-112-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5040-114-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5040-98-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5040-102-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5040-108-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5132-345-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5132-272-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5132-278-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/5236-291-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5236-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5236-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5236-297-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5340-308-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5340-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5340-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5456-314-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5456-323-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5596-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5596-336-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5728-362-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/5728-348-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5888-367-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5888-376-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download