539c02cb9271a8c5157e88b139f5305a98f9cdb64990d456501f4860e2bcc257

Analysis

max time kernel
171s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
Size

4.7MB
MD5

f8641091b7a89e2d02d8242327463f0c
SHA1

52173223af7d81121e3883bd1ca401104567c2df
SHA256

539c02cb9271a8c5157e88b139f5305a98f9cdb64990d456501f4860e2bcc257
SHA512

95a54e237052b0844c5a27a3c41bd236e9b83c60997b4904a7f08b84b2e6ac7b331ed4d405154e3cad4125825142dc79252c7ddfb9b9b48a66554bed92da1783
SSDEEP

49152:gR4OWAXbQZC8OW1/rN1RHHEtB9zd2CyJaLnIdyCYuewuKwPlUmi3IkC4ICYSZbSN:/Etf5yJaL+8Su7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
440	alg.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
1732	fxssvc.exe
1492	elevation_service.exe
1192	elevation_service.exe
5152	maintenanceservice.exe
5360	msdtc.exe
5492	OSE.EXE
5676	PerceptionSimulationService.exe
5784	perfhost.exe
5956	locator.exe
6004	SensorDataService.exe
6104	snmptrap.exe
5292	spectrum.exe
5804	ssh-agent.exe
6120	TieringEngineService.exe
5616	AgentService.exe
6040	vds.exe
1764	vssvc.exe
5416	wbengine.exe
6192	WmiApSrv.exe
6264	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2d171fde8642d83.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63A530B2-4AF6-40C9-B231-B4073A76EB72}\chrome_installer.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038488e85376fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ad3385376fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027ffa986376fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cee0e885376fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb872c85376fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fb61f86376fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
3952	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
5192	chrome.exe
5192	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1520	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
Token: SeAuditPrivilege	1732	fxssvc.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeRestorePrivilege	6120	TieringEngineService.exe
Token: SeManageVolumePrivilege	6120	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5616	AgentService.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeBackupPrivilege	1764	vssvc.exe
Token: SeRestorePrivilege	1764	vssvc.exe
Token: SeAuditPrivilege	1764	vssvc.exe
Token: SeBackupPrivilege	5416	wbengine.exe
Token: SeRestorePrivilege	5416	wbengine.exe
Token: SeSecurityPrivilege	5416	wbengine.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: 33	6264	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6264	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3952	1520	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe	95
PID 1520 wrote to memory of 3952	1520	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe	95
PID 1520 wrote to memory of 3396	1520	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe	96
PID 1520 wrote to memory of 3396	1520	2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe	96
PID 3396 wrote to memory of 3052	3396	chrome.exe	97
PID 3396 wrote to memory of 3052	3396	chrome.exe	97
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 3684	3396	chrome.exe	105
PID 3396 wrote to memory of 4088	3396	chrome.exe	106
PID 3396 wrote to memory of 4088	3396	chrome.exe	106
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107
PID 3396 wrote to memory of 1212	3396	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-05_f8641091b7a89e2d02d8242327463f0c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=121.0.6167.185 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403947f8,0x140394804,0x140394810
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd4ae9758,0x7ffcd4ae9768,0x7ffcd4ae9778
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:2
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:8
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:8
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:1
    3⤵
    PID:4452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:1
    3⤵
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:8
    3⤵
    PID:5316
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5660
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d1977688,0x7ff6d1977698,0x7ff6d19776a8
      4⤵
      PID:5996
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:6136
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6d1977688,0x7ff6d1977698,0x7ff6d19776a8
        5⤵
        
        PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 --field-trial-handle=1836,i,14467512233936797719,8608924637796006723,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4820

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:6104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6192

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6264
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3408 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
1⤵
PID:6868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
d5ca98553fe795078e443406c16445ec

SHA1
0e7c5ef355cefedbe7c7ce126177a6f7f8c59294

SHA256
aa0ec216a5ccfb2ba2bb3c014a90e25cc954dd7f5656ac2d40a3a61216478220

SHA512
bf30a254172f23b8657ceaf57c3f5cb63d319fcb8c0c82f35d29b8242640fe7c0f8ce41b75c32928faee4c02105cc824fa6bb9c8dea23b0a11d7b07036e57b55

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
884KB

MD5
b645baaff7e938620b81f9d71aeea60f

SHA1
6f3b7ad874b23ffb0e6dd509a542806cab15a538

SHA256
859615c5bbae883c0297c23019e1a61c9143d27269ccce9959ce9271ee1dcbf3

SHA512
655d452e86bbc16aa2d7ec9e6393d6e9e5cbd32579ebb1b56807e8ea138a4e414de0214db9d965b9693460ba5a4f30216c08902017f3652d45bc6adf1d934538

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
74448bf031d1373e58c04281aeee983c

SHA1
46e5f7cf5ecf456c1f21c11db0c938173c307dcf

SHA256
fd0e10bf68bf7e8209041f8ea279b29adcc7a1547553a7a0da123c2bb613a187

SHA512
5a0fd372f00cc060822c70ef9e1972f82c7c1de89a5e3c94c196fcb8808bc0b40bccb687e3c31269bf600e5df13e1c56042f322785b007c5636771af74da311a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
371aabdc52b7bbeb89a126c1fd4a7dd2

SHA1
d682b1ad0f3b1e144bb69e581ad82a27952d5000

SHA256
46f72202e1848d9a85c73522998919ca927af8c6991f7d412656e6aefbc85853

SHA512
d00a76d737dd8cb08835386445f3499c4dddac259f2792397d0706a84ab6eef1f48093c8b6f97dd8e79da03ea7a8c95d13cfc0dffab0dd0103bb241982aede10

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
02c9edbcdb0ec64335cecb726d4028e9

SHA1
d1ee51c55d29003705a1c6f5a847001aea0c9e60

SHA256
cfb6daf734facc951940be8325a6803ce24fc6ee034737b27b58dc8d3eb06ffd

SHA512
aadfdba34cfa79cc47cddc8e89d28f4da899aa14300e3434970858690dbe4145ad2a37bf4196df14a61e5ccca19f40d83ac77547b6fb6e333078cb8f95487723

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
11a5bc3792f597836e6641307f4dc094

SHA1
c8a78901061654a513fd26be0be116211a2fac40

SHA256
01e4137538f2bbb6c9a7d3cbd18dad2ef27b4a835350952c7a0eb002947e8a71

SHA512
b5cc7d3b12d3ca8311d4176018315da80a9fe3d30856ed403b92aa90f586776bcb8e2dd7cef8b228bb47ac8b9c1c011cfcdcb4dec4a6d136278a54fe3b78c8a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d49ec195bd72a510a7156e0910ab416d

SHA1
1d16c99c8e0a842a8defb3564deeff7f71b17bfd

SHA256
952f68878715833dc11ea86abaf1a96effd02e9b830e7d44bf4011297f6d4c80

SHA512
b5a7305247012bdf6e292543445df2f317f6a5497285c220dcb492e185960c58bf51f8863b0ab69d8bebed9477691810c30434a5358847cef007dbb3e395e44b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
dd61fb1f7dad65c751e99c07d2118e59

SHA1
fcffc92ba6a0726a6230a22969edce53f0c4e302

SHA256
897fd570b5f4ff933edf1f96b2253b80a4d17174a1bc545c065d5de9eee7db10

SHA512
d6bc315d6ca3faf06067bc8ec8f618c1e22232581c7e01355bd911dedd5326e77d60936b23bf81b5529f99067cca0614d149433b59dbc707526d42a9a744d708

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.0MB

MD5
e60df64caf846d67cd04601512b6677c

SHA1
d436656d5b8e4b75cf713e36c7f00840727893c2

SHA256
a81f5bd47394abd3e13a85256e7a6df96966428855af9b9c28a6f6da0aa41d77

SHA512
f1f2a69d09f52c4094b080e6d0978da2d74ea3a67248faaef2c1a94fb1aea0813745a054aaf9eae1648b50e84d7dbde0e914227480f228ede64966cea186b851

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
22b69d24b22e95c1a616afd0750ea62c

SHA1
9b77e7e96a8a76e214c04f2fba7400075a37c1b3

SHA256
060704230c0c5c76668846342dc8c9f59a2213c693e6249eb066777be11fdff9

SHA512
bc1ccedc14db3e59f89916de528d245fe61ab27ab9c936eedf18f01cdbc5e79a676f09b05ee715394779d2d076eebd8cfa37e7e6f02480d6f8b5b1cb8bd33c96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.5MB

MD5
7364ae9d3268af54d7723167551fb5d8

SHA1
0048fc1112fae1b5ee66e92b10b434a0e262f700

SHA256
187d6be9a51c5c72eb06b9936d0bd552f8eb4e55197c3446eafc92d113639b33

SHA512
1b5755e3b34197420bf5ddf2e143066bce3a9f45409aad8ffeeb7d2f28e55f74d20ae1b823e47cfb336cbd4ef89cc33a8c3d641448c5f874cfad0e06e5f31758

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.1MB

MD5
29f8c497fd74448c1306675a9c6d5782

SHA1
5e39796da8a2d6e2e69d62f69cf9151fe2f56032

SHA256
72e3b96051bb085cbf31e8da5d008e09897298bf802286f01eb275fa5759a64c

SHA512
d38196bfa6df84836f83506728924fdbc33c5143a5ca827e2b89a6c9a748168143ac7f3a0c0be208f25b75feed748ba8caa3f79a97c71c533acb4da315438873

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
384KB

MD5
2fdf25342ce62e5a2c6982256d96699a

SHA1
60ab544886f586ce1f85a6f0816381f7eca1cbd5

SHA256
18bcf61e8e11aa4593267fe8a7f8727c695bf095a4fb03917836aa8927701da0

SHA512
687991f00b635f420f5dd4048bb2be05149799a5ac79c5c57f059eff96a50a1c0a5cf88a853f30cd3d78de98ae8926c87f7651f1de79dc54c3f8b4b196843c70

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
fad96f9624a2283b1e773851ba086796

SHA1
d2660f1e47de70fd178f7ae72d172858a556ba69

SHA256
6652282dcd187d7e0e723535ade9c8a46c1ec4b618508d66ea284fbcbfad52c2

SHA512
0a807b8b18ddc039d184e84300e38ce83ac632896e51f7ee88313919452d2199fc77ae7b1b1ae7fc78343a35ea971000b267ea86b0b7e1b92bc5af219ad99927

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e7c98f27c7f1c17f137eb2657d4eef55

SHA1
8ab1e80d498e1642b1ff6cd6d144746e6e993024

SHA256
93e19b11db82149a8b944c849ac323b932e411031a486526454fac232ba662fe

SHA512
1e30727c26fc824d5c32247cd7812cf46d6a58f1e2074b0d5df32379d5141b11b13073568f596c2140d0509e13835acba1209f59cb6be5ce59a3341c7f7a1eac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.4MB

MD5
d786a8ec0db0ccf91e01566f72a3fa9a

SHA1
d0c34f2e0ed6090e3eff82efd2e5d44d6e5eeed6

SHA256
a62dbde8f144b5e833ec224e667ff3625803fd055896b35f9ec930d10015e9a9

SHA512
650cafc0ae41200e43d896ef5b62b90f280e363b0e8e2f7ff279f83bafbd858b54163c7e4f6d41664bcd05ec185849006952705a97a22d810214cdf8f5d50e09

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.5MB

MD5
dc084e63da9d31493fb1af3ee6c800dd

SHA1
fe0d5e326c5eb9786493aca32fe35933fb5e8e1e

SHA256
8a09deca20d52638add3015662de36799a96fbc6aab593059c2593ff7ca7c62e

SHA512
53266f834f1dac7328f74c3f059232fc95a343e7182bf6847f5d118b2fd6b030b050366a56205307b7c336beef5e995fd96f0308f421d8d6d468c3a636e3332f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
a79eed93ffc2070a38cf03a5b96a1cb4

SHA1
5ba41b71bf21bd81e72a1429d5781493002f0fd7

SHA256
f4bff376a9b1b3c6c2b06379fe26b8ccbde1c687f5359d84e9c0fbdbfa7dad89

SHA512
ad6a4e0b9e6bc397537459e73da726cb6bd5372e504e52ab27c652aa118de162aafe431ee7c873296f7213edd6b2b21683bc2802fabfff659f93868e165989d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
99edc2347b1804eb66c60775cff2e9c6

SHA1
d4fb430b9f261204cc2aefa2cc44f8199bed9ba8

SHA256
d72fec903a13b93a57bb38a83adadd781296b69896eb9c0248f9b3bdb82acc10

SHA512
229657c4c2336400dcf81fa0a0acfda3ad80a40618ed120f4372248da8c45f5ba00f4130d125386d9bddaf2be1c0ad8679864c908bd068317e9cc0e27dae8d16

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\07f86038-81fe-4339-9488-a2073f78ac3f.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4577b07966d75409dab981241d6bbecc

SHA1
8e25d07daaba394783c5c38e496a3688fd6cbd61

SHA256
f705457055996718cc867e998f699279c638b9a7363cf5b08dd2b8c2d0cc7d75

SHA512
8172382033bb1053a8d13676276eba195a9fff57ae73b43172722dedd65f98500dc6af5ac4d79dbc4f9be1ea6b2ac506160e2fac30cb6c7d64ac3f75042bd7e4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
f9c0b7b36051754343b240f5e391d343

SHA1
9a3e1c344e515a17f6c088b49962a32bf0cd2c84

SHA256
582cd4f060c042eca36171561dc786ea5127f26b35472b769c4dcfb62f68878d

SHA512
7177c8f3def886fa742dbc7a06a46e0f5991da7b04e1f08d6bede7e31f608c07e1ae5cd110f701540ad468074b4fd696a7b3fc085cca3e50263b2c126c08ba86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a6af806de53cade9b0e7a6f2446f1ba6

SHA1
d5078ec988045014437eef70437e1243d3c4fdac

SHA256
e1a9dc7f8e1fff71c8ebc2da931c3c254b5a62908a6d22efbe27085db8a9b36a

SHA512
2ff96045a3b5e1adbaba43ba3267c6d03f113bb545af563a3711a998dd5c4426ce4f56f6cb501d2fb670b8b8f5fa71a696797648b428c86ddda7de4c82d227f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9690abb8b10b300c8573c7d0efce5dfd

SHA1
18e0b632f95027281dafe869dbab96360129d301

SHA256
e3c8cf98bf4d8db7dd42c387e30dfce685252e16132d081aa43618893d1faac9

SHA512
1cc8c09d3184da2e057e084125201f8d502d6b65fa787470137821eaf35fe5e4539950a87b48eff52ac8bc3f5b2c7ddbbfa4ced0492c1bc76af35cd0eaac02be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
0fbfc81ca30a70142857e6fe47c9cd52

SHA1
a6f88265d9969dd8e53c170e65a25fd2af948004

SHA256
cdd7b0d2a25f94c453451cc880745f61ab4210db3745a23d23f305fd2f67a545

SHA512
a47afa609a1343677eddc4a79414487ba0486955f775562838bed56c438485e9c1778ea1c5eadd712f38d2a7ae2717bc34b42a80cea3201f1cd035df0af4a72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4ea0f33b8fef3f584129485549e3a74a

SHA1
c4d1deaf387b134dda3cf43fcd7d56a7a0dfab5d

SHA256
6f5b79af1bd58955b7d2c1b45f623b106a423ee0a7a5b740ac4a6d8bff6d7c2b

SHA512
887286694934703ac216feb8c73898efac3824d877d1f8e4d8436c22765f610f2c315c60a084219c40336950808ef1bee6d5c219f8e664a34c1c79fa0e4013c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6498370bf2e5374f0309906580a65ada

SHA1
f57aabbd33724538ef04a16a193437eb8d4757d6

SHA256
392ae30d8de7f918c4c6f07734a123bc87a503a2600fd6addf0b41fddcef7e26

SHA512
dc9e2dbdbb6614e07b83e2baaaa5094334755e11ef8821f40382da6f8f51f7098e36f8631a610ad3931d7fb0337771fe40e4f08a45eea572963c5b96f4a88b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7bd66ebf8f35526c42308b7b3e3bd1f2

SHA1
43bae0de50bc64f8fce91c01a464439a5fcfa09d

SHA256
b9c65a3308bebd8396280c4abb2ab54c9778e61513e0cfb8a3ed8e03bccae2b4

SHA512
fc2a2293ba0124f807d09326d832b288b7a5bb6023724a2fd2718275ac21e00fb6a63ef14d246ee47f095987a096815aa6aeaac1254b6db5b08e6ca6b58e6e78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5818b3.TMP

Filesize
2KB

MD5
3c284274fcfaed236362cd810b542cc2

SHA1
578a3c86ae7cafac8ea2fd1aa785913f2dce853b

SHA256
697eae9f64542c73ab26efd93f8fc32a77e9c15cc99fb60dd3f3866ca8df21cd

SHA512
fc6099cf5604e931f5da5376effd1c720eead4f9398298c70c7746bb25ea66692a2acbc4020cf75754aa62d90183cf032463aea80a90afc688f5687d2aac2042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6d029b4e708290b6e3e9f627d9f62c5

SHA1
808e42d3e5934dc185bf5c88d1b7b1d523616331

SHA256
e61af9583bea538cb91368feb91b9990e3c3db06f298df28d2e5410329a61867

SHA512
3e09a3a0398385c74ea732bd2e969cbe09b9fbf7a99abec91772d82a740c90d90ca966ea6098ed01a16cd2299ca557abf2c6c5b67bbf92890ddfd387f0807923

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
61836ea6e637d9be3d0bdd1de75499a5

SHA1
3e6a3c30c485b27e84763b31da376eb1eb538b8a

SHA256
c3ab8011e87de51d9b4c3d2ae415a9b7b71a2aeb52b2eeca3c29725e32250186

SHA512
4768666945bd9818a68568b82f6aec3755db777635f924346e812816b2d919175eb8c22766b48df03fc1b80d576356389192a9e2b23fca312545a600cfe55a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
99fd95f414be07a5936c6e7f9bb7f902

SHA1
617d759d58b4e097b4abd9adb04ad60abec16539

SHA256
7d681a96ec2dfd56babbddbe363e94e6f47f8d10d80900b4dfa104e021193db3

SHA512
3aeaa3cc5fbc52778993a7eb4e537a192e32425cb06d7d39d036e80e2787056e7f08e47c8c499b9047c5cad96c78c61113d743b4cdab5d9e44bcb1936ce7d150

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6f9b1639f6f57351448f780b0c33a57d

SHA1
2312670f0b2d7806d1f8004db17340d6db271ba7

SHA256
97039d41cd2f6c41f12fbc870a0b6d267c270f2e553efcc073a9180fdbaa16e9

SHA512
d51832c4ecd6bbf431eecfec30608de6c4ee32adf4bacf1c53966f78faed61b2d162675bbc07af5c8e74a791656c59593435450b6e55f7ad762c4d0a00313945

Download Submit
C:\Users\Admin\AppData\Roaming\2d171fde8642d83.bin

Filesize
12KB

MD5
e17f6a60ef94bc7f4fb6e7384aa6e4fc

SHA1
8e7bb434af1ae677ba9bf867e750ea32531465e8

SHA256
1cc06dd276268ab00a87bef69d1fe30541243a09f6f7e22e23e0395ee11dab1d

SHA512
297122af7e21057094f770a3a977c57e2dc28ceeba698212ea6a72dc9a2150f916f530f258c655d67b5db8b6729c3768b68575c816bcd754b78307070be03334

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f4acf7dcf45479669b18372c856bf232

SHA1
07b9debcc89c26621e58ca7067807b7f25822722

SHA256
64a6b779bf07c37843ac6ac820fb1d5157ce8bbd66854370f9acf01fb340a7e3

SHA512
b4564b04040984c5bf08881f67e1ec78d638f2cd931b19351ebb263b9ed0d4b8bc9b1005387539ab0ac60ac78c63fcbd9a6fd2ec04a76b2e2399e23a7788e18e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
768KB

MD5
3914b681f28dc1b58b8ebe05c6d6dfaa

SHA1
c0b555d4652c6ed4fd9bac5541c8e74b1eb4bf42

SHA256
37c6278d79ddbf68b71d6364354520ffa3a163cfdaa55203495fe5a97dea13a4

SHA512
edf872c0be9ac60c0bb4e00b6d9d128cc82f53202574ae9ceb63616181e78b0f99539aed336f0941108e7b1665cf92fb61ca9d3eea25d9272c7523d045716388

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fd378518fe70b608b455547481f2c12f

SHA1
ea05140ce29127317f62c4144635c2901444747b

SHA256
3f55f9cb1ad7e2a57b6b8d09338f7296ee1411c3127c0a40788c78bffedd7e85

SHA512
a7bb68dfa15c7583672afadf9ea10163875612e4933d84400f0489813ec67c665f48a1e0ce4bc2f6cb4e31e9612130a916d0adaf4b65c6989b8ebe806af9c308

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
89a7a68b434d9e872be0d89f643af896

SHA1
54c83446f050caedb0145a9a13f2b7fba6b7542c

SHA256
d55f102a3d1c91262947a1c4ed9158131e9148f5df0c58aa5f3f701a1df4ec86

SHA512
da178345a9430e3b0f388b1c59dbb037fe972329917d10bfec72f92a085b668e13d8cb2c27ce53c092700db47bda1c8691ce0a9bf6f8165a91fd938a93e339dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ff2975f42a7579e8825670b4a3091129

SHA1
63cafba7cfc3daf87479ab16e926dddc8347bba9

SHA256
f4fbcd16ac9cd8c81cfb2b26a6539c20c56d061cf916777ae8ad99025f964902

SHA512
fdf7d13137132dd0ce0d0cd341dfccbe22f7e2b7d6675865f44f3eb23d914e2b004d609ba997da62ed6be8245d8317f3f872f396dc351be587ac4f702106178b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3fb6ca206e616e35b18e5ae11fa446b0

SHA1
5d2d22f24d6dd225ac320f810bba337df483fa0b

SHA256
a49f97fce85732b4bd3b39a28e4ce8bd0df3d0928fd812b2467123d6f96cbd65

SHA512
d8f9aee185cf165b1089394a47a0b4bed16a0c2a5be8f93e406f3a66c301198ddc9d66dfd3dad2ad87a4c99568a709934ab9df4f3bfb9fa60c216d38527ccd8e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a78110629f3c3ae861ca597cc1bb35f7

SHA1
6b76957eaaf9d65640d5c097f051d326266752c7

SHA256
8faa709de2c34c9d4771773ffbdfdfea387455d5a62198ec39bec809e8df80ac

SHA512
409e7b6f73093a58db3de3f9974a26d889ec36990457032173d510ea8bd9f721bfd3b8b3b0a88b9c9eda040daa46d23d800230c1542ca8e28851f2c941a17bf4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.2MB

MD5
a887abd848fd80d548265f25d89502d7

SHA1
819b3a93dfe48b446a29abd88d200f8658501a57

SHA256
cc9827e6bb1722480da2ba6072964c74dabb9dd9005378c37e77325c1f46dd1e

SHA512
d794986019b09cf82d4862be1adb0f5dae40d171f85ef0d472e866a6fa0ee627e32422db4517502e9f6f059768294a153af23d7d68cda66591c5151274bb44c5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad5914399e12cb7d166bd4ad64bd43bf

SHA1
06e1eb6916db1d7939d64fb961021ce5d4d598f3

SHA256
7ea7e4fc38db671df98bdca056552fc73dbb17017ee88d2d2ce7c986c8d52e2f

SHA512
2de6f672ab4258cdc7e696e0ab782278a23408ec741d670fe76f1638366eb631647aa3807df461ceeb851a194b12bedca72cd764f8fb2c56f8df89536996133d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
335KB

MD5
c9cba6c1cdb846949c585b3bc9171548

SHA1
746e2ac36300f03fcab421abc9e4ec0eb2ff9862

SHA256
1e504c975cd1ab427bf5dbaa59f7cc0895edad22c95570ccf661041f4c8a9bf0

SHA512
5f294fb66d90abce74e813114dc42393ca374031c6c6bb6df2cd5f44e88267ddead3b9b28175fab44c8085723f641ca0f9a6d9397c6e610e557a0c23b57b88c5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
24d39df3ffff0e5e8dbdd60fa9badb82

SHA1
71ed3db6845245f5d076f7bafe77a20f4d842e2d

SHA256
251c36795854b48bc5c30a912950a135049fce31c247e787d8d5d12e46920274

SHA512
309c73a438d6f2a6f19733fbf2dfff05807786f627cdfc6973b84a76ba1a56b662e2337530531d1c5e2a423c6ac0bf5b333911d72c9f2cc68301275c4bcf39e8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9f0ff613fa0d4fa3ac54f636f8ec0179

SHA1
204aa7143967f6ef33c6892bd4db36b989540537

SHA256
6d6112d57fd3687763ae199d54480277bff5d6f24af5158989a0217c4e60d2df

SHA512
8410bd90c786a2ff96fb66bdf7c0b85f34384f0f1ebe200be36b2ec0cf2743591f86ca97bec6009eeb5dd7f72c970ba2ebf51f690ad243ba49c0e2fbdb8d97e4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3fc41cdb61f53bcc02ce0411c1bfc542

SHA1
b357ff1ea7267a5c3296818b43e0512826bac998

SHA256
32b4eb9ea5a6cb931a6c2906a8850470e3970d9f88c970316a63060585f7c0cd

SHA512
80e94eaca04022b014f97904e1d37d0e5133e99f2b7e77f794d8cab53a82aa24e1994e4454a1865f795a2c892e64655275561364e1479231cc8bf5110dd6329e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
84d932067565eb20b5cab9e10b6431c5

SHA1
aab1def798b82a4dbcabf7ef4528afedc0597d5e

SHA256
af27eea54f9a08ad7b8e2cd47af3be811b7fd58b530beb6b49285148512e92b1

SHA512
551553e064371e702c1252067e8c1715835689cf9e88c368a4be27d89c6898bc3bd0bf26c66b9c266b22cdd7a0257a666303eb7b48de9c92cdac031a544cdada

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
704KB

MD5
ea8272239102b3f0a6c1ef04be2f7a3a

SHA1
e4e320f3588a4b0ca990b9687b1e8d53ec358e03

SHA256
3c5ceac3a6c53ba3e1da4fcd85e8a74661bca387066b7e57631fe133ed131545

SHA512
e940f700c56b345032376e92ae8c60c08d36e914172dbc5a703a11426b0453f538fd85aca1951e213ad799d7ffb9f60661bda2f875782adba752263e19ba2042

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f14b4f7d172c51a3e9411bbfd9a34fb6

SHA1
2744720dcb61bda7253e46db935ce50b5b1ffb6a

SHA256
78255cf29fd042f614a4217e9b2dcf74598d3e7aaa652e04ff0e5a8a69abbb9d

SHA512
73748fd99a912e1a845a481a04e5b2f244d74c288d8c51f23322e383f9a792fe1165293f1c44dab1e89457be01fea8c33d35bc5434b9e8e4a5e06ca9d003273e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d8d0a118564329d95d7076c8b84c771d

SHA1
8742de64dd1900d26639c3ff199875d2b156a5dd

SHA256
c155b8012b9dd8fd6adae5783ba7ec715ad71c29494b30e75494513b68f46279

SHA512
e3af499d07da5333f86b87b09b7fb0dc5ad46ce5f850e03208d6b5ff4f9a7ab03ac289ea7690e548df2521d4f8ac2c4b9cf08610ab2473728dd7f94e706cfb27

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0df5b4c247f8ad8e6448c4a0f17536eb

SHA1
cf8a49a7c41efd7811694dea7784bd1f234ca8eb

SHA256
95170f67f9d6e030ce12cf4d16f47eddb1d4b6c06b7a133bc928416e2d7ac5b5

SHA512
c3efffeea1a32a4ea6c334c8e2c8863085488e680566fbe32fa894d119b05e6fcdf1f8745fbb2845f7fec0f9e1d08fd9c9742098ea1b5016e49e067d4183bd83

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
04f17c93d07f4325fa0c57f92e04cb10

SHA1
5d0821f6653e8a5aac2f7dfd04bee66fc7a1ad5c

SHA256
23e7805c5fc9617d7ccec1f356980a3f5e862da9dfe9e3bf718939d6dd8767af

SHA512
b8239a9663c9bb807998ed06b5d3631aafeb0d6b4bc01ab057f7ecbf885072193632d57a8ae243b990c02aa05101732ef40725331eb3e33a7468d51debc72031

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
23dbd85260302a28dc9104dc2e293355

SHA1
dc49b944b3542b8e17b25797dddd44de936ef35a

SHA256
c3a5de3d975777b517eaa63764593079eefc874822c1ca91af721f492c2d3104

SHA512
a49a48656a62f3e74e2b7b38209c6adb3f9166c1c843bdb3f13b2de343b570e3036e10ab8fd3cf537b39cb0fde4bb8242270bc01101a167cbfeef289dafbe884

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a904f8a007be2dd382748b4cb3ec666d

SHA1
7667172f4b5fa8d506b6bb7c871d4597ea6f9abd

SHA256
a1b826540ab8fa278f8b7aba6822dc53e55b15b07e17ceb1136441ee6ccb8c1a

SHA512
abbbca273194654c2aa4b859cd70c57f79a48aca73394ac87eeeaba8d058f3d69a36013612aad8df463d3809a691d5a43b186091d3fe91d8cfb9ed59df829e71

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
146c3d414cb383e760f5133ccbba2615

SHA1
abdb5b88e465b07f78c4b94b6126a092d831618c

SHA256
482967327ba536f832299349d71b43b0e81fa1db347c4b10acef998b2ab3073b

SHA512
de71c7f82faabb4d9f9b26dc798b1058013f74479cd6747e3794251272135359c6063c67dbe836acddac4a9f1a362cd0c6b9a559a4b0cc4f492c4c32ff72ae4e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
384KB

MD5
85f46fafcf442b0bcb2b87e4e21a41d2

SHA1
980d60ae91864c63310188919210750062c8f395

SHA256
d26981b2760de097e436788bf3244eb86c942e617a4686fc532b72d63f9758ea

SHA512
858a76267d69a84cfd949bdb18bbb99c8ba2f63fce02ce5da92432945dd77b206ea92522c6c54474da1e984e04a6adfb63cbaf4fafd79fe9ceaeb0e655a1ed8d

Download Submit
C:\odt\office2016setup.exe

Filesize
2.3MB

MD5
32439ee80df0d94bc041b69f004aea81

SHA1
cc1649f484f33a33c2148021d5b5fa542bd3e822

SHA256
435f835463482aff98dd2dc34c30be9d08022fec9231b187d7d7c985f4597165

SHA512
99d2e98075abb6bd83fd63911c3bcc426db30347af3422800d6f73eb8fbd0b05565edfc74cd75ffdc09cc2cb89fe60ba10ca8ddf4bfd830e589e3aaa2b27fdc0

Download Submit
memory/440-34-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/440-98-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1192-76-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1192-75-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1192-146-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1192-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1492-55-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1492-62-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1492-61-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1492-88-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1492-86-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1492-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1520-27-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/1520-1-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/1520-7-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1520-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1732-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1732-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1764-370-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1764-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3232-114-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3232-45-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3232-37-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3232-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3232-36-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3952-19-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3952-9-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3952-94-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/3952-10-0x0000000140000000-0x00000001404C7000-memory.dmp

Filesize
4.8MB

Download
memory/5152-106-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5152-112-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5152-109-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5152-97-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5152-100-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5292-196-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5292-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5292-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5360-173-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5360-115-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5416-371-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5416-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5492-129-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5492-119-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5492-130-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5492-185-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5492-120-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5616-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5616-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5676-142-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5676-214-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5676-134-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5676-135-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5784-224-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5784-147-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5784-154-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/5804-366-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5804-215-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/5804-205-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5956-158-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/6004-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6004-242-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6004-365-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6040-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6040-369-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6104-170-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/6104-256-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/6120-219-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/6120-367-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/6192-258-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/6264-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6264-259-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6740-536-0x000001FB6BCB0000-0x000001FB6BCC0000-memory.dmp

Filesize
64KB

Download
memory/6740-517-0x000001FB6BCC0000-0x000001FB6BCD0000-memory.dmp

Filesize
64KB

Download
memory/6740-516-0x000001FB6BCB0000-0x000001FB6BCC0000-memory.dmp

Filesize
64KB

Download
memory/6740-518-0x000001FB6BCD0000-0x000001FB6BCD1000-memory.dmp

Filesize
4KB

Download
memory/6740-526-0x000001FB6BCB0000-0x000001FB6BCC0000-memory.dmp

Filesize
64KB

Download
memory/6740-530-0x000001FB6BCB0000-0x000001FB6BCC0000-memory.dmp

Filesize
64KB

Download
memory/6740-538-0x000001FB6BCB0000-0x000001FB6BCC0000-memory.dmp

Filesize
64KB

Download