f6fc06571300d7f4dcc8e8555a726f99931fe480c06af7e37dfe89982ef9f274

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
Size

4.7MB
MD5

9c9f426743e3463fa103621069e3b53e
SHA1

c9221ff2701444936d772bee2e1a34688d6d52ba
SHA256

f6fc06571300d7f4dcc8e8555a726f99931fe480c06af7e37dfe89982ef9f274
SHA512

8d416d988f093c7351c4010b2b14337f7968e13450c4322764df62924b2f9f2c7eb536656317415fe5acd959ac0066db0e0918db17b049fd913ebdc91f999ce8
SSDEEP

49152:vR4OWAXbQZC8OW1/rN1RHHEtB9zd2CBJaLnIdyCYuewuKwPlUmi3IkC4ICYSZbS/:6Etf5BJaL+8y/D527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3176	alg.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
4540	fxssvc.exe
3932	elevation_service.exe
888	elevation_service.exe
4068	maintenanceservice.exe
3732	msdtc.exe
4552	OSE.EXE
5060	PerceptionSimulationService.exe
4516	perfhost.exe
1212	locator.exe
5196	SensorDataService.exe
5396	snmptrap.exe
5592	spectrum.exe
5884	ssh-agent.exe
6028	TieringEngineService.exe
6136	AgentService.exe
5300	vds.exe
5320	vssvc.exe
5668	wbengine.exe
5232	WmiApSrv.exe
5992	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c2efae0b98905039.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76531\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76531\java.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082283df01765da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5d84df01765da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc478f01765da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2067ff11765da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c9d52f01765da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013ed41f01765da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
5416	chrome.exe
5416	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4152	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
Token: SeTakeOwnershipPrivilege	2208	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
Token: SeAuditPrivilege	4540	fxssvc.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeRestorePrivilege	6028	TieringEngineService.exe
Token: SeManageVolumePrivilege	6028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6136	AgentService.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeBackupPrivilege	5320	vssvc.exe
Token: SeRestorePrivilege	5320	vssvc.exe
Token: SeAuditPrivilege	5320	vssvc.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeBackupPrivilege	5668	wbengine.exe
Token: SeRestorePrivilege	5668	wbengine.exe
Token: SeSecurityPrivilege	5668	wbengine.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: 33	5992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5992	SearchIndexer.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2208	4152	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe	88
PID 4152 wrote to memory of 2208	4152	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe	88
PID 4152 wrote to memory of 5020	4152	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe	90
PID 4152 wrote to memory of 5020	4152	2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe	90
PID 5020 wrote to memory of 548	5020	chrome.exe	91
PID 5020 wrote to memory of 548	5020	chrome.exe	91
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 1368	5020	chrome.exe	96
PID 5020 wrote to memory of 2088	5020	chrome.exe	97
PID 5020 wrote to memory of 2088	5020	chrome.exe	97
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98
PID 5020 wrote to memory of 3488	5020	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-02-21_9c9f426743e3463fa103621069e3b53e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=121.0.6167.141 --initial-client-data=0x2b8,0x2b4,0x2d4,0x2b0,0x2d8,0x1403947f8,0x140394804,0x140394810
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d3239758,0x7ff8d3239768,0x7ff8d3239778
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:2
    3⤵
    PID:1368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:8
    3⤵
    PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:8
    3⤵
    PID:3488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:1
    3⤵
    PID:3572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:1
    3⤵
    PID:3564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:8
    3⤵
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:8
    3⤵
    PID:5220
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5372
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff64f997688,0x7ff64f997698,0x7ff64f9976a8
      4⤵
      PID:5484
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5552
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x214,0x248,0x7ff64f997688,0x7ff64f997698,0x7ff64f9976a8
        5⤵
        
        PID:5576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 --field-trial-handle=1880,i,123411124701122148,10845466008261784461,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:888

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5196

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5592

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6136

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9e9e4b12aa31fd1dff20fc15bb2b23d1

SHA1
0f8b0d5e5101263b44d3cadd0eceee945fb0fa03

SHA256
2085a9c3fc42c4d47d2c8a3d9ab5b9baad1cf4d880279568cfa15b37d6cc77d8

SHA512
aec96504700298e0e66aacce9d4697b021c899707cbae034ef730ff63b910e352506b5387b15257cb59a36fc4a9fe3a9a8a2bc60a7b856c9f25460cc129dac33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
682KB

MD5
f9d34639753ba50caa032e915a14aed2

SHA1
4cb0bdfec8cab53b4b93ed3df51ec3aa882af1ea

SHA256
457081abc76d8409a3e8bc6b668ea46b959941e5569fd47b9827acc5065273b4

SHA512
447adea8dbbc7c26fb8e45215ce582a3592b8fa9465e718e51475184459d608602aebed652dd373889d2f1190814aada2d08bbc3ea238eb39d6145cc30ac0684

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e7da0ca912676c2e268ec77acf912242

SHA1
2339c82ecd8826c82e315ef56e6829a9ead1c326

SHA256
b953a08151e386f1af64840d3e1632554bdb7dd28cf1b89f534da59400a5a987

SHA512
debcae179fc926e0890815f8ba412888d20cd641ee52447bd6566671d6ed391f6fc13ef72a89a85ce61ea277e27228dbdf535a31ebef448334c6ebd275073576

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2b67e5551dbef008b1026cb87a900770

SHA1
0456899ed58961963dcf378f64a36b10b971b96d

SHA256
64c4a7f783be66edc2d92eba0aff7d4cc817f4cbc41222fd4332a33db8da3587

SHA512
d25fc35339a294ec848a4f8f532cdddc264d13e27581db268ffcacca7c8e8c49135c966f0528d31b037e7bdc127667d0af91527983c2782cb7970bd416610d51

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
66f0cbe1cae8c43d583b6b273b65625e

SHA1
10666c3197058c372937369a8af3a8bb958c7f82

SHA256
2b8a00b6fd11ca6f8f93cea4d18334a7f88e302e7ea8f10f2cfb7f934d933938

SHA512
063a0ea18e0c6fadf170cb85e3cb35962aecb13cb90f52794bbac7f219cab3ed9d8eb75fe592157237e756dec8abfe126b12420e21bcd0fd6e86e9016460f866

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e09dbd9b8c626989135f6dbfd62f371

SHA1
d54bebd380b18602e32504251e0fb75c391ddf91

SHA256
a92fd26d22e000b19f79fe4dbf7e4c178af4d54ed7323f019a9fc9dea1247b9f

SHA512
e3c2c3360a65e5758f49222a37fdf1910b2b2a63368b323c78161b4fe40e0dbca3938524c1f6d719802ec4b8258c2cc395a17b759c1197ebcbfdba2b538873f2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c9894ab0da5d1dddf5acb97f117ee5fe

SHA1
9f23be00e937e00428e73b1a0055ebdad79b19b0

SHA256
415cd04621cc2dec30e6356ea0553e22d0ca14050d1095b03c71cc40433c5cd2

SHA512
58ad18157564525160b329ed3385f2dc05a83a62104a253b8a50120190048c03003ec72d774c4bdfce735bcfc756a4cc34d8472136228af3a9bf0157b413106f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
4a18e33579e1967ecb1574d5fde4d47b

SHA1
a9833afcb408cd0243a97aa310ef338a27f68e83

SHA256
750c52b2d3a25fc3fa07ef4386cb551673414aa571a326e596cef03e3a8e90e8

SHA512
4f2f30a6072fb9b3eb37279cb16eb618d60082e96b70e22b89f9e74cae513a157b261f349666fd2fd9affdb4f0131dd8e0b3f2046b56fe534ef51e29755d0b54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dd073bb4a87e4ff2a20eb241d048e783

SHA1
2012694c8c4b50403ae9471fb303a3d03e0336df

SHA256
92a8fc833ef801d77fd78c4ccb6f033c59990999a0f0e2effc465e6f5dd7bf27

SHA512
a60f0d152097e984aa8fce4595827b97f77ec7dfda0754566711b7c10fe5fe90ef8cb188ff58509a93dd9a8e6b81491f83d2addae79efcc162be723e90c26a23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3a9271bb7abc5ca2794c2de10799f8b1

SHA1
3da36fe6a2278da669c90225e73d2bbaaf115f0c

SHA256
d82a970e4a4cedefbcfedd2f4d741f1fff605f01a068d84477ea23d251bc21f1

SHA512
966f25ca9ae2382cc7a72c32a82c2773188792fa1b1ad92951baa53371af37a013d4ec08c853af3c603aae59e5723b9c4a292dfb5a466d2e8ee63576533a96a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40a85bc9406232ac527fa9a72d2b4b2d

SHA1
a9b11d802aa1bcf64af11a63626a6f4e116f756b

SHA256
036249f3d877e0c674ea743025155b4e63ee44c719be20e46166a85ac464c0ad

SHA512
a5f687dd2f989d63cc27c6e241618bfbcca27c059a90c3644ad2a2e788a9e454a8ef96a0296ab68eed2f90df289a99f571676f6c03c0cc38f295950e6770a6f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
334d7a1c3de8158376d0ac144ccba95c

SHA1
17eb4c14df4c40c84aa5cb14ef5e189791434aef

SHA256
b5bfa8be8900ab914fdc57ba54adf0259f4d8bddde31db93f4b0f42878683952

SHA512
0b8efb7839bffdec30d961569afaaaedd404da8a08957a52331f9e778feb33fc3e036f8060a82e1a0e8eafdf9946416f326634dd166c8c5f677f1f381a469837

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8d593e764f929628b1d6ceb1f30a0732

SHA1
4da1637525c8b2309285f5598e2656416d91a26c

SHA256
22a5491236fe12a00acac0ff39ac7775fb3b548daec3b3d9057e992b1b86ffc0

SHA512
9ac0024cf4879d400603c48e8d9ef42f1b3e23bafb00e0f336c9e4fb666ccdb16e571d8f90b0c01b0c059087527723290c78a633c8985e3daedebaae998cc5ad

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b9ad4fa1c2fa325334c9f0e11912fd38

SHA1
3ddad82c155e936aa4389bef62ad621c5af31193

SHA256
5a435acc9cc2496b9b9678ebd67f7fd98ad46aa60518b33084f357a34b24bc59

SHA512
d98aec2a98f0e2c5af083dc306e61177676745e15ff30fdd38c2bcd21238949cfe12570b825278d94c49104527c6556a82014434e2d77e01e2d029aab36fe9c5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
52b44dc826ae4fae3620a62dc69d6809

SHA1
8062820260d0b2245ce8326a2fa734927f731ece

SHA256
7473374b6c91cc50f70eb40abc48eefccf4e5da92a3210001403481d680cec7e

SHA512
cac60667ca0c2d8a9efd2accab43b2b17e253911882a62f8171a32fd2171b1e5112747373a7e6ee5ab028491b819344a7eb640fb168044543919f3144789abdc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
90b39489dcfa24426071413e7f4b7006

SHA1
64995655ed4493bd3ab2dc08005e28c9260a96c2

SHA256
1dbfd4c1379550a3c5160eefbbba929fb9138fe997ea9e2c92626d2bad95a593

SHA512
59f268b95034abb6fc3a0a79749aeb142de7f875de317fa15e04961a39c825f7cd8dff2bba536cb4748b774a619cb5c964b2fe5a8788b38d3c4b3fe6be569a6a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
09c5183ee4d81c9dcc3690bc51d7c846

SHA1
82f31691d21477d27de3e68aef748bd7cc19fc3b

SHA256
da61e8a597c2f567e09109da0f909d44a6407839e1be648af03de64ba46970f3

SHA512
e0bcb673a98c77d23abe593a9e69ac2e193a99535cdca8c086e763a6a6210cd92c29a9ac4a7bffc633af844a480c26b85271addd93d947584ac18caf895cbf39

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9e977fae56722a9bd001529eff08e7c2

SHA1
00b5bb017620175b8b6d60ee0dad3e03e6f3840d

SHA256
e3aa7f0d52903eff9c5a24361e0e7620159369e451f6dc99758e8fee26b4ec7c

SHA512
b9d89224a40c6055a6163c57f8f95322cdf66d5d4d0411ca6a930eb9b116002575303a0358a8602a5fbec019fac16fbe44bc0509c7d471fef37103ba79bfc133

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
fe4b16b32726a4bef5174a0b0be2bf6f

SHA1
9cee2291fa8440cebebec1c5400a213963f1f602

SHA256
2201dc49a748854a8469edcee355e39f8093ccd8ccb82e81928fb4b272452aec

SHA512
fd6a98136d170900398da5401f72f484f8d5afc81a53a9a39f8166a0cf0e6640d036e696e3f3df4c417ef38750adf41407a66c7d9b52cc0e686f1e5680807361

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
07e34393954f204b69d6238b7a7b5fa5

SHA1
2dece2b07d9f201fc9f0093f62b948ddc858ce09

SHA256
d9c2ccb1c5c21d158796d6531bd2af01969adce12d5d60d93e63492c7a772509

SHA512
4aef34575f8fc2fd9ff09a6878472cf24b6df70670f254b3fc6d973a5e510ced4eacc7c90a89165c1663e288872a93551a4d6f1069eb122cd762aa1ba4b040d0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\7a551701-2742-4e09-831a-cbce6a1888de.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1b59e8a0682edf3274d68ce7f23d73fd

SHA1
0a271d76648c11b76ea4a0ccd9c40ff5ace78f21

SHA256
42a056a3e1b44215f6cf77357c253d0456cb25a7eabb224c8a286cd9f628d412

SHA512
218dae8cca29c9b61de00327af36f0b6ea70f07b534527f4c8e14b6e5f1f2731aec8a39becc1ed36e0a75214631a8a140515af3873f8e55ac99d66284b54df30

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ae4ef2267efe853f9f490e8e859ee5dd

SHA1
c53fb5f453ee0e16bc86f037be2413caf8ce5ed8

SHA256
6183cafc5678bd6f9efa9f364e30cc8fe831ed5e5b7d05ab27aaa280de0cfdc9

SHA512
8b9c880cf159f35b3ed273d92b852a8310406d0c69541334e18f03c3397caf4bdc657528591a24f401580803c348b58c92c8cc75ca0d7ca349e55cfb0ec468f6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0c643aae0d5e86882c0f22888396ed21

SHA1
e848691928765165add39a87e6a7de3ce4ad387d

SHA256
631fe641c258280a74b481b420577a0e4975938457847d21e636b23716a6f326

SHA512
00da2b33ab0757e99062e6ebae3ea912925cd05f69f7a00d62b2f705c4734aa839090561c95c78e36529f354fac3f7e1d4ea59fb99777fb58acb12d7db0d9c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bd1fe822ca603ad2511edf53e4a40ec9

SHA1
89b2f1e4cff92cbb05d219cb4b3f46fc3b5ab898

SHA256
31694e0514f74098769f44b4c895441d158f08e14f64bbd75f80d2ed9441f5d2

SHA512
e1b55b04f4422738ec5165cf7a754bfcf70bbf50fa81ce27becde5ab92cfc5d1cd95d1b1445158dc3f85586f6923c5f1d0735abc993113379720ac89122c4b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
56f53f276bb99ffac46f8c94959df3cf

SHA1
aa9fc267089c15edfb61cc12637562e65983b378

SHA256
7ff9ed008e6679528b3de5b479866b5a25120dc2ef2f75dc9374c97b3f0ba281

SHA512
6dee07f92e57de9e21cd6205998df0c970ab5d36687abe2b9251e63aff39becf3200629e9d1e17f58c997436cca4c1927c65dd2733ad73ab034ae0f3b7be4451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1325c97f31dcbcee937b5aefd777e788

SHA1
16672b6c7ba9f0f7312c8c38c16393e32113fc9b

SHA256
51e79cee9075ad28c7340660384ec7b9bb6f9cc405aece5989f50c9b32b8f441

SHA512
d944a9016d12b3f0e3d3d736aaf601d56f51a4ce1c5922face7f7a534e112d2ef6372ffb31654516208d27646ab349fc4e8bc36a089129aa335a5c799803f1ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3635841f905ed48f6921a1da05dd2cd5

SHA1
2fc0b09c02adc358de1e4b07a3a79739d2fb766a

SHA256
d311b49dc94beda0413db9dab47506e0a7a3488e15ebb2e256cee14918e25652

SHA512
b398f22144578a74e07a3cad5a14cf92457d05843fdf7b068c1c6fb0bc28df6bfd42fa1ca6867862abcb8c48bcb9f18ef1c6fc3463ed728ab1c9ba3db25839d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
11d99e712fd4c5394d151bd82ed59fef

SHA1
e14d862573071dbbb6a086c6c3f1e41236b64928

SHA256
b3e80c3fb99f971a073ccc6ca3f795a935b0e886e6dab3eba7ac6e5b05575c2e

SHA512
80b007298910b43153c5dfcd54799b1e5e7e526a772022a24be788e8ae1b8b43a200e4f97f76fe7d34d6dade1ef637e6e5036cc1ac2b5183673cccd7c1567cca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
af312b0cc7e78b2d596cb9a356064817

SHA1
364f31c87f26c6f842f7af697df53cbf37f15d6a

SHA256
4b62bfca052a2f2c8b07d99f60630a64487641276fa7a684d26cb01ff78d0f07

SHA512
5eb8e331ac8f2042fbc52d325b4325ac1a4d720bb0db27318e386b1fc009526d5c2b554061b00c3ae10229685474accabda313f5414bff7a1f7316567e179f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576a14.TMP

Filesize
2KB

MD5
7f2eda5adddc0a55f80ef5c96d0a86da

SHA1
ef7ff4ef297e1451cba86c8f5a75b7b9874ac50a

SHA256
f3e3c028ca7c7641b32991c218ae8100ca0e08a70b5276759a4aef7ff7c6dab7

SHA512
b1fb2873098c64e69fd3c1071c0c5742d1d6d2e2ea7042dea8460e7ef3ba59a0e0fc42c58789da772ea9c8f3cd29a6ee27e96db465ccbad0594cb9ed5c6c4f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
b8e45234adde1779e5eb9ae1f30b8b72

SHA1
19ef1847d5adaa98f0072a5e26953e9996934c62

SHA256
1f3548ef525da86f1c263d339f5f5839872b963c7d38ed66ac64fbfcab5ca98b

SHA512
29818e21cad30ea083e6f7d8484d2da6824ce658885755d060a9b29cdb0895ca97987c73cd8149baead43bdf9f38fece9eb248cf8fd6b185638951a11ca033ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ef3c129f9b241a7595c92d7f8d29b85e

SHA1
f15382a09405aeff23a4c0c40c29195a01275dd3

SHA256
7abb07275e72c82f8b4d2bfb66843676f1ec5bad1813149aa26770230b068009

SHA512
837ede78af05d660efbe2de6c75c6046556433d1924000b4cbf2291d7515444d723a08c7f264c552486da2de1220d1029e751905d261e4aeb44135152c936d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4b35d84adc1fab7a424afd267442b916

SHA1
24376c8e4d5e54edb3c67d47208dc82ad90091f0

SHA256
e97cd7004a16d367dbe82a64e105bd01cd0d88db75cd5dd2d23651b20e54d335

SHA512
773d9f6d4973afb392bf7f5c939cec48d44d0ee68c3947c5e2f39fc7ccd4580d41f9246286d47537ddc2607da8d27a03651b904c54784296d550776fdfcd9781

Download Submit
C:\Users\Admin\AppData\Roaming\c2efae0b98905039.bin

Filesize
12KB

MD5
9057ec490acce292a8f67aeb4a8d310a

SHA1
d4ddb85eab06d70e26c65c3c83aa21ed19bfe6c6

SHA256
4d5a92f94a5d1e800957876b95c90f31b0329ef43bc20ad6f5ee3ee645723f20

SHA512
376e5f49254c0e939cede4963fcef1f56d67b730714e004bc5c8fb0b93117f2a9bff7d4ba4b3c2e41440b5c62db96cd6dea0ce92205073ccc9983780fb9cf9d0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cec0f255d80184a03a6a77afea5699fe

SHA1
3485452de716f6cf7363b6cb992066f438987e79

SHA256
fa5d4444dfb2b874f677932286708561930a423998ef3947646acdb286a3bf4a

SHA512
676015e05cceaf15a40428ba9b0ced36e4834e43f2757e290daaf38c5aa32702901b50be99bda6afbebd67e9b007415ee5907812169f054546f6b72a7fcd7ce7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.4MB

MD5
eb6e34b7210c1e1df075a1abb973ce1f

SHA1
659379ea276366ab8f360b4d8b2d711fe68d64bd

SHA256
79bb260b435fbba5487bdaeb92767c0d6cc305665f85fca8c6cd5d19db8f644b

SHA512
9d0f4b2eca0b023167386bc2187b82a70f123fa3eff44ae302687110a80cda2c195fbb07bd61ff49a26542d134baccbedb46d6b604f2e6a459e7ad093a5f2db9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
800cb7a8b3e2de817fa14fc26918c760

SHA1
a718ebeb6b0c8abdc3215c40884ada58d14d8c1a

SHA256
952bb95427b85621872cf574ca92ec6e2c1d492879fc3cfbf44e010e26016c6e

SHA512
ab244e2f80aae3d9bac3adaac11206a6660cf3065cc79dfa14e962e24c318dfe1d740be658bdaad9d1025be1d228cda7dfb980668638c2cba022d7959b17d5fe

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e6090b295626c282f557da568ad81879

SHA1
ed4ef7b5ef1df84a9d11c16f52ae13f7135f91b3

SHA256
a0dcc7cedd3fad118f565976b555757a6dbf6223a0106afc892f96dfd707e806

SHA512
ee17c2ee4bfe9207a6aeafa012945d7b2c762a5c5f9830f0b3cc6631ba241165395d33aad886ad3b7ed179a2d853dd876b6708ac86fe774dd6fbff9c11feda54

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5cf2b400d70276a0fea7f644311e384e

SHA1
e0c796c2796634ae74da08604513639a8c6944b7

SHA256
dc9154169638296deabaf4c68e62fd73ab7d556f06b4f68be80be78e3b98e47a

SHA512
7683c3a11b24b8a26f108579d7433812840c9fb036ec71dca0496a780dc338620d005da49ff2aa0cd60ca2a5be558a4ec66b4d27d7ff3cd19b4b57c0b219be2c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
8ae4ec27bdcc6b6811804e7fb459b098

SHA1
4b2c3dd8a412b01de85cb6518ee2b844f31c8d2b

SHA256
42682766e9c0bcab1e4f82457e1521470ab694138994ebc1b7cd3c6dd45e78d9

SHA512
59c2fde581ff822e50c4368f6043fe8386a766f7d521a152e115c95e8efa4178181c64bbb484a9191e600bec27be3cfbaa97776b1d532c1cc97acc7d2dc4aae4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ed55da541ad5407b9c4461cbb26a6d31

SHA1
c768d212a092404d7cb7f48c026f4309a2acf735

SHA256
68e03db90ba1d781868d5a0b47a5904b5a5dee998e98fc8d2056cdac7847b81e

SHA512
7e7ae00d592b093f02d0bc9732468abed1033bf1921248a1dd3b021ae969db5d504d993d8610c9c1bc273d9d06caafd0563d4d83b33f4df94365604994a67f53

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
128KB

MD5
1b1a186cdf95439d59b3db4b96bef73f

SHA1
34008e6538cf1975e919682d2472008a865a478c

SHA256
141281590e9a2c5820c6a5dd7f70d9bc37265d0d298e28bade4bcbaf50ccf864

SHA512
32ec1a1f6d6c60b26b393248da95954d2790231fd8ff864cad53445b41c8b52f2280dc2191af9e405abcdc004087fd343abb28189a22c9a5dcb4267f30f9eb24

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
896KB

MD5
fe8b1131f55f00dc2a1a2b84ad9415af

SHA1
471ca6115628ff6f4c02de2a45a1b7692e5fa028

SHA256
4239ac8dafc084a13cf8532723124376d368bdedf8bcc3de6a033ae45cee0a1b

SHA512
62bd23c9ea09f3a9c5cb0d6bb15a55ad41f2c8c02cd45187a79b1c149292ff17b773e44fd914d854a0cf9203c4b04408c3151003594bb9950b4248588f49a852

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d8495614fec639829e15b9d0fff6b97

SHA1
774d73795b6205d7bee91c8749f20e50bf2866b6

SHA256
d51f3a1f2a4805a7c2a151717a27fc5c248c84e2e71b093f5732e63f1e350569

SHA512
ece23c304d1748bdccbef3f8bd92eeca7fd740fba5518bf3f3a76f2c9e922abad42264161f291ef08eab859daacd2e81969d7f11ccdf1a50e80da87e08cd85cc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
88088814e0da7fbc26723f6c53bbbf1f

SHA1
508a88eba48d6299c7fa05df3933dc64a116fca5

SHA256
ecc0ee1b13cbbdbf309889c55b585a31ea3f1816af7e03a78811b1f5e466bad7

SHA512
5c8939966debc9146d6335520fe643291703c1cde4a9ea9a643c7283695109d4b382eb17f93db9840cbeec133f0c891d5bf5ba0eb09bc5d03ae7e4e5d6f41993

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d32c304684def4d7ff8c14d0c96edaf1

SHA1
d6928fc221a0c472409a72fce2632aa3cc7dc42a

SHA256
3ca2c3728b8594545bd31b874a85aa1b8fd48eba0270ad6cbeae694b2c0f8189

SHA512
450d2a76e32e3c2f051e29cc3dcc7c5adf2351b296801e51c9cc60fe92badef724020cee44aff441290fadf8959f10624f3c4516a2bf95bd92d151b35d74d79d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
94e09f507489354020bb9e2295361970

SHA1
1bc2d13681f1de3ba98873366624a6265e338621

SHA256
eb22bf39346bbf9f25a422634695d2e4036c8519a24e00c083fd2896e6a882ef

SHA512
b586555fb7e3f53cbc8469aa434a1dc4364bce7ac793979ff78b76c80c171ca2bf0818b6c7eeb04b36f05f61407ed73c9ba1de9c8ea53a4c39ea864df6f78a73

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
518cfcd2dde305c0877f403ffc1077ea

SHA1
f555eb609098996ba4a2a29a23d71438e6cc6a6f

SHA256
5506b9ca6f12d62687489685b7a280307e252bc3202ed78172b0b6a224c7003b

SHA512
39ea9f85e789001b404475263b58564c7f8ea4a6261b39e5176cdc9c40ee53dda569da4fac760d5c3ac6944767e194e1cb1b2254611c584d269adb9a37808a52

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c14682266baa6ce877d084ba0009fcb4

SHA1
d132ba40c8f2a2b51bc1978a00bd97ae5eadfeb9

SHA256
0f4435afd70a883dcc9eb137fe6de0f67da1346f629ec0f78e04ea63d148f23d

SHA512
6cda3bcb95726f839b7c457d3701e86153aae28093a649b686aa2fd43d47855cc1d60959ab19551f2d3857b4268d953d8d88cf10bbb18e2ef90d0804b69e6ecf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
422ff7e2c30f5188d1aa61c8fcc3a909

SHA1
5ab2062a3c980d57610fa43454ef5b6012d3f9d1

SHA256
45f5919072fa9286b90e2ce2a896cb6229215cd19e198f7185c7eaaefdb62bba

SHA512
341d61b0a43a39395b26756f070a2dca985d2f7c90273d467ba6d00f0b1b72695212bcb885ac73c1990896a75c2d162e19405e2d0ce4b35c10addab26280da50

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
66e5cdf22f8ac80c408e44b654980c1d

SHA1
5219f784dd27cdbe5cd627bd8db15274a234cbcc

SHA256
52edb5e561fbf6aceaa6809fcf486e2a39fe6699254cf8f5a10c4bdf452c8661

SHA512
ec64dd6273d2d888f88c6c07d0818e5b4d92ac2e670f006d8a9a213149b71d9d013c20e3cff14b8353d5814269d221276c578e48feeb94a99e5898544ed733a6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c427213a20417fbfbeb988a45ef70e24

SHA1
5be0ac91f9f26391f3f9889a0e9da8a9ef476974

SHA256
d44ee7139f3d33b646bd716ff44c4b789bb73214a32e6f2f4430c00e5b243a62

SHA512
2368e325affa025b1f06db8377ab91a5939ffa707bd0b190b47e8a6c496ecb8e8114ed8b136e774be79469a49f10e64c1a04fdfc097be7bde65d6cd7b8c0e495

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f8dfc5e20a352ac9354515e8e50849c8

SHA1
3e227b7cdb9c77f65c39d3f36515500c58e44c04

SHA256
39018c99c70f4a3d81c55848bdfece2a77f62bfcc352377d1776927ab3d04485

SHA512
a60d791732fab8b5b1c7927efaed9c9ae48858eafb193ba3673aeb3a3c5846ec98231e284f618330e0b925c653f67f65b884775fb8c43beda4707ac0c2dd7c43

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
ee248001cb92a4c638dcf3e7bdf68d95

SHA1
dfd554d1df1e14ececb891876013454e9d5b293b

SHA256
e2ffdc7e39338f91ce1077e0ce367fd70d0a0eb274358e8573afdf162f21d5a1

SHA512
318cb7d390cdb276a15f075e33f0110377e417af50085e3f6de9248240b7852ca69b5d3676acfc1ce29452501838528a0daaf1d20115164f57ab4ac5b97edb44

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
5f0d80772dc7a4ae0d18bd4641e8a754

SHA1
7dabb51eacaca16c3d372ee4da648c72dfbad68f

SHA256
c654c40d9a692815aae1655125b6d9639be9b4287270e662f7f3eba7f2ff8e01

SHA512
ce74e8e367ba6718ae8cc68119a18627deb2fb1e9a3e6c0f0e441d558d79ee7c13a7cc3665acbf2bcdc8ab928ece0b7bd72a392d8acc2e37aab9facc04458e5b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
581b4818241d14915687aadc7e96f7e4

SHA1
e9ab4b56bc00f5f1e281d2d5190c82b41045988f

SHA256
6608dfe0de513b0a98d676ba7b33d3abb893f0c75d742608ac9288c646062952

SHA512
616e306e5d91c903f7b2617e250ebaf4ceea6c90be47dd3b1a4006fb133a1f78500797f6d2019baa0798835c667d5a2d8d1808690dae339bac384fd176bb9b58

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3704ba8a840f92020c3a78196ef6e1f8

SHA1
1f58054a529f0c56455daa4bce68afea5d616f78

SHA256
331900c058e0f03d8dbdec973fd60f6ae723bdbcdfeb9bfcb3a9c0350a832518

SHA512
003abd3d3bef44a02ae1cd262930ed244e4256ae19d782bd311a64a3090ee83a2fae81f795f9aff56c9f0b889ea5265d0ac00cd4f9e675b95f97652575670a65

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7ce40375052ed34d110ebe2ff4f190fc

SHA1
518f8e13a5c135c7c6e7482ef0f27313da938e6e

SHA256
ee874686718bbb4470f8992679dae238a86381f78c51c374afb299c132324548

SHA512
feb5847e1017d761dfd4e16a8d38b0ee9c3fa09e9d3e992fbf784fb63a3f0821413f5e51b2912bb38c4d17aa2801c9278960628c27ea3dbe3e5abf7941d3cc94

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
881368c6d1b333669039c36748dedde5

SHA1
9b283f972b74937151c9139641cbed9def9b250d

SHA256
65680126631ab746f8ff0dc87674d8f2e8b2cd6f5f48d39a3d4fc16be0a36126

SHA512
f5499ad47bcd3922b9f3bf882d97b17f3761abdc2540b837a3bcfeafe86474c5a341df6584df40730a51e84f82a7670322d64156d9dced164d3276ce53c37c87

Download Submit
memory/888-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/888-103-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/888-173-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/888-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1212-271-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1212-185-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1212-178-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2208-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2208-24-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2208-100-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/2208-13-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/3176-32-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3176-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3176-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3176-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3732-133-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3732-142-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3732-199-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3932-83-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3932-101-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3932-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3932-84-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3932-105-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4064-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4064-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4064-132-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4064-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4068-117-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4068-130-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4068-129-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4068-124-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4068-115-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4152-8-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4152-38-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/4152-2-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/4152-0-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4516-175-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4516-267-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4540-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-79-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4540-93-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4540-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-58-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4552-150-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4552-220-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4552-157-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/5060-161-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5060-169-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5060-247-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5196-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5196-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5196-200-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/5232-350-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5232-343-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5300-310-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5300-304-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5320-324-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5320-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5396-221-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5396-302-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5396-211-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5592-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5592-249-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5592-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5668-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5668-336-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5884-259-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5884-328-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5884-268-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5992-362-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5992-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6028-281-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/6028-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6028-341-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6136-293-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/6136-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6136-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6136-299-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download