d5b7ddea42d7eba146500b9cce0f11d5d9ab6ec0d9f61d17e86d9ff8d38ae61e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
Size

5.5MB
MD5

65f29e8539e793d264d0b44d4fb7b250
SHA1

75d136e20901b07e1ec40dfd92556a7fe3fa4947
SHA256

d5b7ddea42d7eba146500b9cce0f11d5d9ab6ec0d9f61d17e86d9ff8d38ae61e
SHA512

b2d7f4ae4aa840bceb312507e9ab29353b5b91ca1785c93eb9cf6cfd76ea781fd2b06a25a0a83048fa6d1970fc43072ca2181eab89ae7b332795151ff887589f
SSDEEP

49152:9EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:BAI5pAdVJn9tbnR1VgBVmI+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4364	alg.exe
2032	DiagnosticsHub.StandardCollector.Service.exe
2404	fxssvc.exe
1100	elevation_service.exe
1148	elevation_service.exe
2868	maintenanceservice.exe
4164	msdtc.exe
3228	OSE.EXE
3928	PerceptionSimulationService.exe
3324	perfhost.exe
2804	locator.exe
3728	SensorDataService.exe
3124	snmptrap.exe
5156	spectrum.exe
5404	ssh-agent.exe
5728	TieringEngineService.exe
5888	AgentService.exe
6000	vds.exe
6084	vssvc.exe
5224	wbengine.exe
5548	WmiApSrv.exe
5764	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\feb083a990ca9c2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A57FE46C-6BD7-4436-B4ED-1F7F22B87421}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006082652d117fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9539f2f117fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000850f312d117fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f45c72d117fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000342aa92c117fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558850394891025"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023b51a2e117fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ab6742c117fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
4692	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
6124	chrome.exe
6124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4124	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
Token: SeAuditPrivilege	2404	fxssvc.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeRestorePrivilege	5728	TieringEngineService.exe
Token: SeManageVolumePrivilege	5728	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5888	AgentService.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeBackupPrivilege	6084	vssvc.exe
Token: SeRestorePrivilege	6084	vssvc.exe
Token: SeAuditPrivilege	6084	vssvc.exe
Token: SeBackupPrivilege	5224	wbengine.exe
Token: SeRestorePrivilege	5224	wbengine.exe
Token: SeSecurityPrivilege	5224	wbengine.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: 33	5764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5764	SearchIndexer.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4692	4124	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe	87
PID 4124 wrote to memory of 4692	4124	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe	87
PID 4124 wrote to memory of 4472	4124	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe	90
PID 4124 wrote to memory of 4472	4124	2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe	90
PID 4472 wrote to memory of 4176	4472	chrome.exe	91
PID 4472 wrote to memory of 4176	4472	chrome.exe	91
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 4972	4472	chrome.exe	97
PID 4472 wrote to memory of 3872	4472	chrome.exe	98
PID 4472 wrote to memory of 3872	4472	chrome.exe	98
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99
PID 4472 wrote to memory of 2092	4472	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-25_65f29e8539e793d264d0b44d4fb7b250_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdde299758,0x7ffdde299768,0x7ffdde299778
    3⤵
    PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:2
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:8
    3⤵
    PID:3872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:8
    3⤵
    PID:2092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:1
    3⤵
    PID:3916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:1
    3⤵
    PID:3168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:8
    3⤵
    PID:2372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:8
    3⤵
    PID:1236
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5284
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x1f4,0x7ff7c80c7688,0x7ff7c80c7698,0x7ff7c80c76a8
      4⤵
      PID:5336
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5396
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7c80c7688,0x7ff7c80c7698,0x7ff7c80c76a8
        5⤵
        
        PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:8
    3⤵
    PID:5720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2612 --field-trial-handle=1900,i,11033343254373841586,8573261969377464373,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3248

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4164

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
768KB

MD5
dc5bb81f7144541e92306450f8825af2

SHA1
713532568bc213081ab4600f342d1a13fcab6377

SHA256
0e6faaad2a646b697dc72de2847dfe879f2956aa3583318cc7c0221660797d5b

SHA512
b4c413f7ab6b26c59e649eda1c752fdf349abd9f53dee23ccc60e3249746abb0d2ec5879fad7ae50551b9e6c293503db67b7908737ac16b739852134ff8f6b9e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
79ad73928af214bcc59506cae9633245

SHA1
8126c6e3e602840df960eddb5802f28f0d279667

SHA256
588f14933d59d8f2d17303cd302109fe0d6058e388e5cccf6318dae65bdf9abf

SHA512
6ea7f94069c2b2ebaa122b115d210359a718c2d6c306c4af886fe743befa45a4a6b6fb25b9a7009d6cb1be498adbff54d7d9fffdf72786ccd58c32bc5b93cf30

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c552f84f51e0b8a7337b2f69202134be

SHA1
5e9318afc859a9219969fb7a9eb6becb863000de

SHA256
f169bb84fe61767159b661b727ef7fbbf42ddaaa3a88607992c7c28046c388c7

SHA512
574883fb2761da4025cc4061ae9a8dd821a7d22c0d9c2ca58c35d9f176243943b147c47f9e040f5a7de7bb85502ec376004f1e49899ee3217ff4b5261013ec38

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
a77bdc4f8f928c581c6ac0dac72b68b1

SHA1
3741e41357b0e145399e2dd5c482a16ed5891ce0

SHA256
98b50f5af160283471145cb189149cbc6fb401eeb71fc6f16471e052384cc0ab

SHA512
27add541b5468d944ae404f257a311cce17a41bb20af1878da652db08a4a59a8ea7e5825445588d9f082ee0ae102401f2e2955bfdf325522e88edce08b32a1ff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6fc7960b077080daa021685cfc42be03

SHA1
e866caf3f4367db3c61fadfcba92f68e21b06218

SHA256
a54c485ebabb28acfc4e8fdd4336b052814d89fb6e33ab81beb7f28ce059dce2

SHA512
d75c74872b1a11cdef7d3e1a857f9efbde7292e1f4c3488b336e65eb8ca58e73384f3734193f72acffbf33d766440d803bb29ee8447571caa6ea8952e1c660df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
77500c9ff0139e6f5c371ce092b988b6

SHA1
f4e1dae5be1063dce8330d5d2dfa835d1595a7c4

SHA256
9a95512cd849a02effcd312a2b3c7a08d41082c28a5cab062e12d22df88d5f20

SHA512
9c13eb650289553f81af12502a15b9c4085a6e48ed31b78515b6835c7464a1e37474c2552a06282b0dec3aa9e73ff53d5df9741448232bb4db49ecfece8b0b96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6b4f6883294a7e9fb7dd3211c56a2cfb

SHA1
9eb753d09e76ebfad7515d16321bac155614b1c7

SHA256
d9b077d542899c2c43530ee20c940eddf2f8396ea4d03e5522cb588a52036fe8

SHA512
91994f77aa7fc1fb70de353ee73aa8f4170a4993e31f08c3e8d70b2200e9d9ffb3b16c88bbbcc97dbb6f8d54df5b290db990957d9a1b8fc4aa49367ae31dcd4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.8MB

MD5
ee50b687bd823a413ba2f2b979a91046

SHA1
01cbbbf42a3af7d5563fc5c1c7a2fd4aefc94c19

SHA256
d0ec2305504c96061231b8356709612f4cffb5912d11cd54b20fe9a9e10a40c8

SHA512
b89ac43227928abc68ad1b678e3716deb84ceab44b96582a411025b68e398816219763e494be3c216a1679f0c52421151082e85f9e38c7cc252355f82aab82f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.7MB

MD5
ccaa9cda173efeff2d06746c21dc9ca9

SHA1
328e5669e7cab1826bb3f4cb9b084b646e22b34e

SHA256
5d5f4a29261bac3e88766ca8b906c0ab20da5e4628a15864a3ac4e63a978e617

SHA512
e032a42d55b9da0fcb8ee57640d903e90e8faf47243adde0db27222dd4f7d6e7e53a5425b9fffdb4193300912937ee4117970f81fb29a660ad26302a5bf926d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
ca37cc908cafdcaea718773c37547c1b

SHA1
3799dc39b364ecfa931cb07c34f76f3beca70824

SHA256
5484ca4df4baccfc607b44a5d1d0dafd1995bdaf5e01f22d44085fdff878d9f3

SHA512
8413809491d7c37d8bf6c6d5af9dd07c3cc87f1afa4cb69f271cf435d1e99d1fb03e0cc16ed0dd423aacc082e9de72281340d44208e141a11734cb493436ce2c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b88c9632d574acf28ffeb48576df3fbc

SHA1
f7dea84ac2df3f3655b91f07550b6ac3ae526299

SHA256
0e90c6548adf466df07e12b6f04c8bf101cef417a579c885fafd815f81946b93

SHA512
eba3d43c7dcb7cd6cd281db4fc38dba50d7946afe2431119aea0e903d33c0d2df45ad0a6929d9c80f4ee9a3f2b0efce87ea0bfa24a206f7b8ea1a230fd8b0da9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5f4ca11c09f4afad9fcad5a1c1b8fda2

SHA1
57305efa09902494a58ba382d0adfdbca8d68265

SHA256
5b1605a3dc078dad59d7ab949b8bf9d66f561d20f0ce906055521d0e9e7cfd7c

SHA512
f09987b976088366bd1dad75dbeb5ed88ad734d9f33037b7dfbeea712f2e8759da0e059a633940443f80180c57d0e91246ce26df030e02b2130ee09e2b225bf5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6ca16ee1b030248fa688b1a27f625aca

SHA1
690065b186dcc8514d30fc7fdc67228ad1a3ca3e

SHA256
78774d78800f1b968626a7acbe8a6af8005f15bd8c113faf93a9c9bd1151f6bd

SHA512
18c23a06d6a09c8e85fa310076f9079592cb7b387cc63c8bebc44ff0f9cd516acc71065503a49d0fc988d86decbc1f906abdb17fecb4edb99bae1cd4dd17c121

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.5MB

MD5
1830ba2b0c138469170c6152846ef1d8

SHA1
2135ddf9fa8c19d2ae5ebb80329102f3f32bd3fd

SHA256
adb2c76d11b28c778228b73774925a122d1087fe555530faa48a676fa9610e7f

SHA512
0b12302f883ba8342e603ca99177a65374b0310cb868670d9cf9cc0704ca16c054e407bdbd3fdbad0eae593f72cd5666a825bb06387d9f5a094fa83969005627

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.6MB

MD5
b3c382a6a3971c1fd146807e94926485

SHA1
8d9a074c6c14a997a087b1b70982d8fc9fc15881

SHA256
03123d924db4dbc6241d5ce480b4f3e4829cb264ea67b37b2becbaed594b5913

SHA512
26dc7c8a9f3fe095cc3efaf8db040a9c3543f74e40b34d6c0a4e7a16b0267a10c9528315269f1692bc5d8348c53c805e78e715feac4afebf0e8af24bb91acd8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
072c9b978edaf212ad5d993d966bec07

SHA1
0f584ee67b927da4097c9be0c50ec67789593418

SHA256
57c185e334beac50ab5e7b73abb6be0fa34e722edf4f015d96dc2b2ae9651ec2

SHA512
5afc6c8013421bb6cdaac1da63bf6234d34f623bf2778c1f3ab328131dd443e091458c2ed56a2ef0ae118a5c99a9d5ea3424cb68f18cca1ae317ec44f8890dfc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
576KB

MD5
6f4bb42ea8d91144daa1197d3301b4bf

SHA1
885541e61602e4d8ed5e33953e78481d8dcafed9

SHA256
0424c80ee26dc7b413a115103c73273001c6ea9a03bc68daf2312e8b59ed20ef

SHA512
e7aa44335c2e5985441505182b874d1842e84766e1c91785d10c30803c0650843e2f78f766a6179b7c4af7ed206ed6e3c8059eec1361383f1f32f22a9922d0c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.4MB

MD5
91bfa8617c7a5e8d6829dab9ed35178e

SHA1
c0b9b58201a58045447eede4722d2d5b189fd462

SHA256
d550229beb329d362a1874ee15924b14b260779576726e5c8f32150d1ef5f6ca

SHA512
68a45f5cecc85db38ab649ae4d794e4d5721c410fc0201284298cac44d639928e860c658a60b35e25f17da0d2b927204cf4468a5b64c9276d032bb5d3925f5c9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\53b8a152-2ad3-495b-ace2-2d54cc40dc6e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.4MB

MD5
fdf9fce5645615d37c50e0530a468005

SHA1
cef39d5c7d13dd3d42177af28f1f346eff75b3f2

SHA256
943eeb94efdaf6b72e96e162d10ce1793cfd89bd81eeb729df4b781a72dcb45d

SHA512
b409cc62919441537375a4b5d83deabb358f2ea1f36ca7c31bae43c85c06c1013ab0ad9146d36e626156dbcb46a0d1d24cd84f0e321df880fef118d69b8c8295

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.4MB

MD5
da9180fc825a35bfa8ae17f0ebc859e7

SHA1
103477d29fcc2382df406d9a898296786113d96c

SHA256
1dd7c74f40caea14aaac10f23848462fd753de02895b39daa08b820c6e3173c7

SHA512
7306436e6e2bea0380236da1176276b446adc5b29c8ff5eb917d54c4f75d68d79a9aaa62c421cc912368943126ddcb749a3c76f17b01338feac1d397b4474c29

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
2e1f98d8a996eebb4aad128faed69a29

SHA1
e8be4d0d68a94fada48d580c104c7fae48db21c9

SHA256
4aef86125b36c6df713667764df9f00539303e32e8304620e8bc8ba1676bacc4

SHA512
096a08c877c9c43c9939608ad2c90a47ce9d6204ec5980c2ada22b492e4d033550d90cdaa46fbfe0bfc72361e67a315de46eb1f25fbc490ddf0cef9e00656610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b62bed683333c7edb7d5b79c0fbf60a8

SHA1
3b4e051242caf8004a764eacd9c858dc50800a71

SHA256
f432b78c2fc0866a3535b5665f40f99cbc16f7f5281806d9c341ed746b44065a

SHA512
037c581bc43bec68e622d5c82feec9594debc5cc10b6d7e3eb4c5a68a97b2b4533782a14355402d894b0d8fe9c840eb33ef786b7549cec0b30c265f29a9af9b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97e7e979c61eb367b028153df2069986

SHA1
6738973307fef3a0f30281f165d77466c1299e42

SHA256
de355cb332e4a96088598ed0aa582901ae035c1ad0aad92e1d826843d5d4ba94

SHA512
7782492b476ef7641aa1502fb740d13fec3d1787aa9227155c3aaee2877cec4b383f4223fc42aad7530ed65c0f383e1fabd1b5a89a22a48600ea1e133e1ce464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
38a7b142e3ffdf0220bb56da328162c0

SHA1
e46c4d6ba736ae3d05458d9d59739d74fad360ea

SHA256
344c2ce1cfd8553dcaa2374caedadf7de24ff73bc388e625edb6904360b74354

SHA512
689cb7d2dbc8c224ad108ad50297822e306b770cf46fa7f24bb4cef08f5cb0b694ca6b3ecc9ef9b1593ee5030f2d2e8388e573b06d009844438ba9aab44471b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
43d754ac7b4f20f2f9aff72adfa4c28b

SHA1
e4cd8337f35998038586c2a72470a229cae356f6

SHA256
cd650b58990504b597362d74b9641151929e1989f9516e969e319eeca87e5517

SHA512
759f4717aade07a37e2cf1f6dfca40b48d9c621e3a1aea61ffee9ff9c424c651ff8b94e0432f10c2829c498f3dc4b38a0a0fd28d793e52d2ea44407d14861e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5c3cecdb5bbca77ab2e9647974cd261b

SHA1
27f5a596691a0f0d4cb347a40f9da005addae265

SHA256
89d18e233a0e9d6346ca2a8ff79afea713464efb0a973b2459f1cc9cebf2af21

SHA512
ef88823bc0bf6f145fea2ba63c83d411a9fc3dda6ef885329824d38b2c11e977def345b7e74dbe5f90803704bc03c1d29552b5125d52cf14f8b732933da4951c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57ae12.TMP

Filesize
2KB

MD5
3c9afd3b143ff5816655b62cb76c71c5

SHA1
6486ff43edbf73818d5b897644e7ff2a72068d7c

SHA256
01e17964de0218e3345fd39a4706b3936e12f06af8b22969bf169add36513fc2

SHA512
5a672d116ed4eff2dbd167b41688c8790bda7cb4178069640ac4ea115452a737a3deca865347f938b40d0ea5fd5d72ad2eb7aaa4a8e846636377fd07b400b251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
38917cd64c38e3c531687f56b75e3853

SHA1
8016e9da22279cee7dde0855f8e991df73cb927f

SHA256
aa5eb80ad6c200c4805e5445cedeed57adce9ce566d604010df8f8aec721c973

SHA512
717d4ccd410b0c0fe1196f864b223d09eb9224679f135c02a6a722872afe15ef8564de6212d04f3220bfd70d24258eabcabea36f797ca84c457ff269a04d4681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f32ad9bb-e3f7-4293-9b20-f539239bc71f.tmp

Filesize
4KB

MD5
65a6c3d1022ab9d6f9e2005ae3dec712

SHA1
4fa82427071797ce240f0ad0fc3e03a4a5756b65

SHA256
219ac9caf9bd4a7a038813ce450216b8f0728e66851fe849508311a06af62ec1

SHA512
e78e01f6f37d10010e6a905f3ee69de2a99dac6970a969bd23f2c2d2d8a7d93cb462716f9b64c3f1d55da971a503b0db3c076d7699cb2d3a06cffbd96a954724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8eccfb7cb418d407e5cd36040b5c379c

SHA1
7e9848f29f502d9b2f1d2f6cbb53e2bea4dc84b7

SHA256
be245d5a7139dcee89421c9c5896747493daddc6f2756fa6ee5899d18654e9e1

SHA512
3b2c4b8ff82faa58b6f26086df3fcbd56430f9f3be30db5373351d67c38e320a5cb977aa3dd506b76bd1dce53583f7f89c18c7f62f2c47e9b5857aa94eb5f500

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
00ceb771bd92f0aa39f84c030ca9c095

SHA1
0ab50d3d2a7626f375bbb94196de8be10573bc3f

SHA256
9e2a069c772fab6914b931a9fa1c0ab5d7065276ef541f88ed9af0a7a76b0ff8

SHA512
2aae4487fdfe7863b22754314b82a98174d40de6fbcbf33abad12403c0075c18db17ccb52652bc2850ef2f5b70552a1a2d7f709756547c0f0f3611170e2ba955

Download Submit
C:\Users\Admin\AppData\Roaming\feb083a990ca9c2.bin

Filesize
12KB

MD5
60a987e57c177906728f98a4b8456658

SHA1
423ef1c6e79d1b6c862bfa9e99f3cb0568c59f7b

SHA256
88a59d6ec1db29276a76b3cd6a38180b92c89cf16e71c8a8c1fc5c2e7e56c83b

SHA512
c07e5b9175020ee398d88eaad9a67af939f1a11f1f27bfd1890ea766addb3a9b12a541c7dae8fe93a48895371765c88e3db827402ac2362c10da6853d234e27e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6f225e7cd4a3b6270331c04ea0443ae9

SHA1
b4c47a01af90e432cc9fcc26e1a8df5a3c23ee0a

SHA256
d04b4a3def37d6b8f79f8666a98e24f1fe71129210f24d339d5e418e5e5b7c05

SHA512
f0bd2b7aa2da88162c09fca96aa455c1374b499928898da7aae4ff279422edbe1f39349568c68a87087fdb1754e071f2614e38d2b622e1c0416f4ec64a8c3afa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d1da03f480b7045a3ec795e9e001531d

SHA1
71dbf6ef24fca1db8d46442ae577a2088b792aa4

SHA256
711c3f2924545f86e61c8cadd52301cc30e2af469ab4ca909090e8e6d0938cca

SHA512
38f88c328bc34ecb236315b0c8bfa515594eb00e60be1210c8008d5d247ebf1b68d674c2bc3e84e1f6bfaeccf56ee331c1c9cd162477db8d8db304e462d1fa0e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1431608cc179ebb9b84dcdb4d3b0ea5d

SHA1
9035a341f8d21b34e89538ee031fc582892b500f

SHA256
4ea5dacd23960049c50239126b0a5e8084189fd081e3d0eb68dc2099bc155c64

SHA512
f1b3032c0442faa4a77bb19004b51202ebd3bf4a6289ad36f8cedb0df55d5d63e1bf84440a014892f4ce3d8f091ca68f0de243cd3ed547391b439b4f768cef4d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2abd3c197360ae4491df1eb87bdad229

SHA1
a59a3c0bdf71c219bfad10f8072d6fbfaf7d4257

SHA256
aaba78ea06d79dac8e1ff79250c53b2161d4489189c9c255f225d4e65eec028d

SHA512
8cd0ce514c44e1196eb2c514245f40d51a52c92aa783d59987066495e85219cd453f7fff76ad271599f3067086bcf0f6bad3059c5124a41eb4023af1a022a46a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f34bdd85eef4a93c7366f2e1dc9f6e39

SHA1
ddd468a239e80a99c337101931582b2a7d4a81bc

SHA256
ea4f799c92b3d287e6cb484b86c2c7cddb70002f8c3fe0d544da5e36105b90aa

SHA512
b199bc266e49c69ed369d1653a1b6b3ef59a963303b5e1ed68c4e6c410424d4607786f40da5efdcc5346f94b51f559fb3d69118c510f6c0283789d85ee152b20

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9b2c7e08ee0e065be3441c2b389830b5

SHA1
0dc7c1523e45a6eb069d9a76b69668c7fb977a88

SHA256
0ad1fbe1edbbfe65e38e2895182569fe8d3013edae123f2fc3077307216bb283

SHA512
fd77865c7dc88830c0cc11ad50625b098529a0a92e268bb6243ad99ced5c2dffa883f1b6e2b700160293c3dc2abd5651bfe7c67775ad04e046a93e32dcbbede0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e10753bc90c77b2d160460b5518df1d1

SHA1
eb10c89cb107c744373f5ea15cd711194be07118

SHA256
61ce60d5f57c47d208843ec9733d72993ead348483574a3c6f397e612b50c85a

SHA512
392a33c458f887b7b945503fb397d37a349769c017a917488d57fabcb579eb156b1d6896e2cde38e11267411f59f5bff6eb08642e5fe9801b28cd80639954d02

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48a5b57221e9fd1b9f73ba1e741355d9

SHA1
d58e18dc50147d7f91c7962e0f0265329f9728f3

SHA256
4e641f30b926b6f454cf173db7d71515a0d5861c00ebc0e0902e87a10cf2bb32

SHA512
b3378036c968c7e50be7b6ad51c0ca51ad2fc69476fe87dd8cd0a6a097536a87ab7402e988eec80f9ccd5e9a25f98961c2fc86b91fd7b67281608b47de8ea95f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd5f92e8672f40821ec8dbf7828912b9

SHA1
4ec82b681e81d4b7dfa3db936fdde33ad8d21c7b

SHA256
f4501ac41a4e7dbc3c4261ea091a3c9be323cb086bdc2a6a6c67745d3c9bbacf

SHA512
57e5669bbb996afcb79166696de3fcb19f751d8c53135213d7cfae11b5cbbad50bb1a5a25895e3b938edcf6c5fd112d852acc7034868a5bc92d1cf7b702786f2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.6MB

MD5
b1cccfafae9ad294276f8bad2ef8d7aa

SHA1
a33d678c6e1f9c1272e5ecd62a994a091b5852d8

SHA256
0e8663898c4eed170efecabb6f4f00de54bb93d4a634c5ba6a4f2c5445596e23

SHA512
ce4378865250faabd7cc7503e5a2ad89d0739d41027c133571c904bd5a2193040c935c46ee5f42a437669aecc497a3defff437aaa35d758a4f9f5711f1edab3e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
986e9759574c8ecbcee50a668cc2b58f

SHA1
9d5f08b770a63b558500d226272b1366cc9b5940

SHA256
07e8821901a3f42b1f8336b3979017135f2ae1ecd418d034504861e154ca945d

SHA512
a2633686ab11e0d2b09a3f392b83f5007ee8e486d3aad94682f75955d7eaf5dd646c4a8946f47edaa03be91eb4fe06eb7fa2fac82229faede2ad0f31a0d75e75

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5949dd2a398c85e655de3a5ecfa5db24

SHA1
c1c48b08a8b42083ea55aa061c9226e5163d595b

SHA256
a393e2d41f3917cd855231d1fce4741acfe0ea9ac37c198bd578b590fe00e59c

SHA512
c1c401b0d37be57635619fd7dbaf6c7e1b0703a3fa993d39dbd66af00d854d178e5403e94f469ce668b9485cf77623b9530f75d8f5bea75a82a0e0de36ec9efe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1fdd09d0e1bdc5fbdd629460c1ddacb5

SHA1
2f34b61467957a60e80f863efbfe09c2ba0d1264

SHA256
a4987c1a71906a9e2cbd11fc7ceaf52eb42e65690944ebc9d27d92113004c108

SHA512
d52f30faa5e8add6d7a6fda9e34e1af7d983436c4ec61c75b3db2b6a60e5e8016952657ac0d8d3a5c95198d60b136f79e9fad23816dd3e6e1cff832255b1e1dd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e9695dfae92dd8cb8fad001e81ed06dd

SHA1
d9296c2de09ae5cb959bce98267a9a4c535bedfb

SHA256
b11eae55621d3da487351f3fb71c76cd3a8cd69300c4ffa02f02a43f70389be0

SHA512
0477a873ba933137026ab38de822dfe4300a508a45b9a93dc27228603c09144cfc98c5d6b291fa548e57b813bbfa71deb1912f8c210cbe3bd60a61bd1d47dbdf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bec3baa2b3a8333b6be1dd52378c0b15

SHA1
481dcfef0413f7440843373bf4f994ade8968318

SHA256
c43ab34fb11d66b89bb7f3247167e91422c36a92ca401c89a25ca49c500dbb59

SHA512
67a294be0d6584c0a677ec54d8c0cb09b8bb1adaa90b70eb94992abe9739451ad90ab2067db67ed0089f46d3719c2a908b87e52672cc7a1a7fa8108bff65ac27

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1da262c077ca7d5f5195244fd565c1d4

SHA1
9e846aaeea0679e83a05198aab5d1a127b482219

SHA256
782469a26aaefebc3de816c756e48b8d213cac19863c461b28bdf0669122b310

SHA512
2b5fa1e667c76cf58b7656868bb1b479a7843fd95f16783733a0203dd74a0ab6d3ca3d36a313e0e122a185f576ae8545293ff4d95ad48ac1b7a1a0ab927377c3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
59a69e44294e5780f84fd48e72477826

SHA1
e32cc4edd5e4f7adba833d980c51ee75643d6676

SHA256
32d323856cf6adb72425cb6e25fdcafda88ed9958c74487f99a6ead59b942094

SHA512
372aa5416490d12bd3894c93eb3561ad1aca4cc6c927f0fe4c847c9c3287a62e9318aa40c9344321b46a3dfe0e4c409b6901dae4a9f7f0715fef4700eecc10e4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d5876333db61bf609e2ccb48360ebdda

SHA1
f288440f9616f2c79542a1cee2b980eb4921c21b

SHA256
b9294f8d055166cd8c5ec79c2b2f11c340b6a8c1bd9655f5fbba51e49dd66203

SHA512
806c435b6b9eb14ff7e1937fa3449644aa3b07f59ee44acf29dec5b39082bd5431cbe7d2ffb1e77def6a004e765ef70676884ebb6a0ed6397489f10bcdf84fbd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.7MB

MD5
d15796b4545652262482b10ecd581b71

SHA1
4a74666158a1c02c5cf31353e0d583c1c179b6c7

SHA256
dd01bc6af4ad4368af72fc9e5dfd7d75dcb2c970d3b165bf8c6c0e1f08258aa4

SHA512
0b1a8af99389184be748abac84c0b10cd2dfc1832112d0cb51aefbe2ef19ccc634ceae93946b365bdda1d10119af89cf1c4366d016d50e88fdd1694a37b5108f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
e7e897e9c5de9ec18d6ff66635a8d992

SHA1
4b3a28993aa90d730936382cb819d73715330cf2

SHA256
6f2fd9563198f942cb53791d427a0b2cb473925d389f3fffeba4dc20bed41f8c

SHA512
80977ce58f99749377120a1d9f120779584abcdecb66faf9665b4cd95f6e8172d22128149375df9d68406da335a908096b0ce962e6d713d395f862600c49decd

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.5MB

MD5
086e51b36daf17494532fe247bd6f28e

SHA1
a34dae209cf77c3c09e778778c6c6aa94e6861fc

SHA256
181b9251f13bcdcdeb24380c2d5485a0174f99682cb769b3d62255a608f8f835

SHA512
ed3919a2aae753a91fdd046896b3fa3a392ef0c5e1e37ac429a42aae8819eb89cfbe5c00bf9b0e0d686748ea7c941b82b49e425d5a3331a62b7b553fee4a70e3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1799ebac618917d1e27de2ff3cc9c738

SHA1
0fa129a1caed04a1a9e0ca3731ee861343b5de8e

SHA256
b9f700da6423f168c47424dc35e7f864651564df9a5a971533122bbbcb1a6a53

SHA512
c6a3d093c7472613dd04e4a63bad995023baff32cc2a5135efc598dd4671bad43fb41cdb3c97b46aa163b77ad1e9f6929e235f805980292e7f4882039e30e100

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
425c180ea12ef16a679384c7fcfad549

SHA1
f766e62965973ea525a56c622c11d3ec1bd3ce84

SHA256
eb1aa8db4fdbc602cb3a3e92c1ce1ca3b65f76281ac9a49f419f3eb9014df07d

SHA512
ca166721ec027d67625f535534dcb8fd5b1f25e08bb5aa9fcac24c54fcd22c4140cfa78e61eb35bbb71f6957e4972537298c2f244211ec05bdd55c4497589f88

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
cedee8e8dfac30e43b9f3c04164befdd

SHA1
6b9e63b96900d0b1b4274cec73ff23e5cf24015c

SHA256
9e2eca48e72e4180b9e8130051aa4bbd90e504f8c4e61a517bfaff6ca88357f3

SHA512
1c335de2f8d9c482c5f336a265364dfa1e6d7d72e09dceff46b86443a12f54171ef2126efc8c7785fa8ed540ac0d1be931d23f281eb2ffad48f92db1e1192107

Download Submit
C:\odt\office2016setup.exe

Filesize
1.4MB

MD5
4991c4c889f3fbdf4f5f83bcc56440f6

SHA1
2c3136c7f138e3593b87f73c88f999d46fa4828e

SHA256
23bcc4319bb2444524327737b2042a3449c578b8b5ad0f188bddabac71928db8

SHA512
9cc193e24daaf7579983ea8717b53781bca0b1e173654a34963ad648a432324a5db4324d5442604ffb1944c2df9668c226d5ecdca0c564cf300066c1a70c9603

Download Submit
memory/1100-79-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1100-70-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1100-73-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1100-78-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1100-114-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1100-109-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1148-101-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1148-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-106-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-171-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2032-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2032-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2032-51-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2032-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2404-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2404-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2404-67-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2404-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2404-64-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2804-183-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2804-176-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2804-268-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2868-128-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2868-126-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2868-113-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2868-115-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3124-300-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3124-202-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3124-212-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3228-211-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3228-144-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3228-156-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3324-172-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3324-252-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3728-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-196-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3728-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-289-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3928-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3928-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3928-167-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4124-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4124-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4124-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4124-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4124-33-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4164-194-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4164-140-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4164-133-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4364-30-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4364-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4364-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4364-16-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4692-24-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4692-99-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4692-11-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4692-12-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/5156-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5156-231-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5156-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5224-335-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5224-326-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5404-325-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5404-239-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5404-254-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/5548-362-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5548-346-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5728-278-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/5728-343-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5728-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5764-373-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5764-366-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5888-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5888-297-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5888-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5888-291-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/6000-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6000-302-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6000-309-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/6084-313-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6084-321-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download