d20910c2a8d9439b1a8c01f58468905c3cf953dacf7346dce9e3b0318b2ceae1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 15:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
Size

5.5MB
MD5

fba405f5b61d0108da0ebef85e28f9f9
SHA1

c1eaa5b339035a6b7f6502e43ecf37b7de335ac6
SHA256

d20910c2a8d9439b1a8c01f58468905c3cf953dacf7346dce9e3b0318b2ceae1
SHA512

f8b2e30585ca5615fcdd145d1b27c3e0e273641661f3a6d9a9e9fde3e45a27e6e1a6ee68faa94479cc5c4854d193365dcd71f4b01f3275f5af3062ba6473a3cd
SSDEEP

49152:bEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfB:HAI5pAdVJn9tbnR1VgBVmDnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4836	alg.exe
1088	elevation_service.exe
764	elevation_service.exe
2376	maintenanceservice.exe
3312	OSE.EXE
2988	fxssvc.exe
3692	msdtc.exe
3412	PerceptionSimulationService.exe
1080	perfhost.exe
4860	locator.exe
3480	SensorDataService.exe
4660	snmptrap.exe
1408	spectrum.exe
540	ssh-agent.exe
676	TieringEngineService.exe
552	AgentService.exe
3792	vds.exe
2196	vssvc.exe
5092	wbengine.exe
5016	WmiApSrv.exe
1264	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7956302212d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0436eb96a87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db7f4ab96a87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568030524108841"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ffd4bba6a87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000802892b96a87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049e24cb96a87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe408db96a87da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
112	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
4916	chrome.exe
4916	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1752	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeDebugPrivilege	4836	alg.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 112	1752	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe	85
PID 1752 wrote to memory of 112	1752	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe	85
PID 1752 wrote to memory of 4228	1752	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe	87
PID 1752 wrote to memory of 4228	1752	2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe	87
PID 4228 wrote to memory of 4232	4228	chrome.exe	88
PID 4228 wrote to memory of 4232	4228	chrome.exe	88
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3052	4228	chrome.exe	91
PID 4228 wrote to memory of 3140	4228	chrome.exe	92
PID 4228 wrote to memory of 3140	4228	chrome.exe	92
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93
PID 4228 wrote to memory of 3560	4228	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_fba405f5b61d0108da0ebef85e28f9f9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87d039758,0x7ff87d039768,0x7ff87d039778
    3⤵
    PID:4232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:2
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:3560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:1
    3⤵
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:1
    3⤵
    PID:1284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:2172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4128
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff63ae17688,0x7ff63ae17698,0x7ff63ae176a8
      4⤵
      PID:1964
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:3888
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63ae17688,0x7ff63ae17698,0x7ff63ae176a8
        5⤵
        
        PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5456 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:8
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3608 --field-trial-handle=1884,i,7855321905673704729,3524766233787761291,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:764

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2988

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3692

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3160

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1264
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
de8d35d7a717569aafc2210866838e83

SHA1
a4cbd8f418882ceb5d56f5ea87e4b95955310691

SHA256
7ed6853e651970cada56cb306c7e70c667f79c24edbcb48f2c89382352f84bb0

SHA512
33f0bb6d2b9dda0c14c8a7db22ff66bb42615df9195e4a6b3808de1a7ab0e7e846649989f6dca04b926362ae3ec092ff379a3fa1f991f617ebdf8207f9e0e4c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
eba3191ad5050f5b88e3e514d113e3cf

SHA1
24a1dd6a4e86ee1f82404691e38e97e675603472

SHA256
5b8e397648d174330e58297128583304bb7fc147a90830b13add0ee67cdcc439

SHA512
ccb61564513cf40e12aef2c34ee8844dda60de478269a064bcec413c1d59f976c17ccf269d6faddd9e62eaf06c723e18821fce4093f6565290efda2a45652bc3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
fac2eadeca5a8a5231bec6a85a0f4c48

SHA1
9b5dd0ffa7836a0605fe4f7e43601e7281b5b3f6

SHA256
6ebd4493fec4b8dd12d389e9330acbd87bbadf4fc2d9090e1cc52aa9cf587414

SHA512
7e634eaf915e5767730aa41fd19217514f1eceaa0f604f37fb66b4dd0ce541a18e4ddc4e7dc91c3a6ad5a3c95b981454e7a7cf7f2813f5898807640f1a2a5f6a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4257275c06366557f8ef2b80928abbad

SHA1
558f51111816dd91c5463114af8fa416c0e423ac

SHA256
b780dc7aab7c80412d513b8fe0a78c6a655a1217a24a8787aac72ba074af70ee

SHA512
a97477c239d89225fce61c1950b5eee03d2612153537b94db6671e532da02640594faf0e628f9d7944e264c2644158c7fc3f272fd7d45e249c532855b50787e7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1dc7a96e2483a9742b544580aa8808b0

SHA1
cdda02f04344094505538ab1bd52bb106f96bb75

SHA256
da59424ced5dc8fe5f531c236742bd00fe9dff30086cb04b5b02ae892c4e6409

SHA512
63ee54ddd385ea40d20c74730850d361bc33faf30c5e6b39a56ecd03be2175cb7605615bde4bf4a3934e6f5acaff564de2765e134caa44ed3bf03e80ab66b96f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
48a67458184a15d8527606f040406bda

SHA1
4ac262b00b5778c2b113191e406235bb3bbb5a6f

SHA256
66fe888d7086cf12397456d9e75efb31290d4cff84c7178a4c834c06cf3849fd

SHA512
aeaaa6e7c6efa2af074a55aed5ddec9f8a5a408c90ed7e96f4d9a1cc023d463d0c71663dbec7665551ea458e8dfa0a400110c894cf2e95ad51827a9c95e8c7de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
14655a8a110342e4e349b0bcfe80a246

SHA1
fa03b955946d611f91c75983768d3d64641ec3d5

SHA256
2590b0d919f1251bc3b57936f0a16ccb8b70f52391a97212538f209edd5a4cf2

SHA512
b3136aebb8fe2bb541d5a139d73ff988e42edcf9d2a487f3589a6ba643796b76a459af64f638c8a0bc9848d314043520fe5752917b78d5dfc40c978b87ef2d33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8090a5b61d70981c3b2bf7fe416dd0b5

SHA1
01f20d9db972a306e5a470e260b45d986e076f0d

SHA256
f327d2555c7753f5fdcf7ea08bc5f0dfbf0ad20d0109f250c321cc1be215a675

SHA512
3c4a0678ca8fd19be583198c7fb0373bca523512db9d47d6ac3c130d9915e6ed9bbba7b61f17497c96f5d6dfedebfdea280ba91924b8c95dc218d5f894f6bdf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3fe1ff3132d4f049ca5ed8151eb4bca0

SHA1
0d1fcdc44826af833e96a5afb8b47b0b9714aa32

SHA256
c99710a1e5d05a7aed07291a09206590fe3a2bfc06bd52bd76d055b1c7ee0640

SHA512
4c6bb3efd9704aebea8300815336a2107d99155f51357d963410c1c032c3448b2a1fef83299ebd65005962732c71e9b3a3578df27201ebc722fcae410d3be8d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a9429599866d980e8e20f0d4ae77c501

SHA1
34d4feecec730a1482c7cc5835bb7ff5a5baecc7

SHA256
f94083975ed44e900ab4196804f7caeac89f54d9e4df010914f3adb7c0054be3

SHA512
e800ea8783ef9a022a32a1c2289bc68e83d85ea8a9c167d18a2ac9a231d645264e96872be21d160baced708e6bb9ad2b2b45fed3dce81ef91ec4ea2a874fb330

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
35de0982f331ab43904fc795238a9b18

SHA1
54d1bf88b6efd3b2073b2a3725f366c46d327dde

SHA256
2fffe94c8240aa96be5a3e0855c662a6164230f92670903a1bc0123ddc9c475e

SHA512
67fac794f813271c1e30b5371b05ce33c7f51efdcedb9bf7b422317f6c9ecb03692fa7038e8b8a653701edf888e9e22c68c8b6e99ccd6bc30d4801ccfbdecc1c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5d49ccab0322f37380cdb3aec5fded8c

SHA1
527d76af34b683843ea3f1c3fe3ebbf19b826e17

SHA256
ff76f522ebe81a31987241260ee1007935c99d0da32257ca2544d24c016c134e

SHA512
22a9e5babc65e7b92b26c8974897ef52cf6832a3165b72d6c1130150fbf9d8543ea5196715f49c80105ced5c448f88b4e430e24df5a0ba0f21cfb2f9d0f9a86f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
375ac090f68cf2b33680b0ed657ec851

SHA1
e8839602f93529a7ec9c9472869f2a8554531ddf

SHA256
861ee65eb688fe33b625ac4dddd76dfdf3945c88cc648805816cee800586aa8c

SHA512
a659aafff2e93133e174494aa69f8f6e1d97b50d3ea4f13560b6650b99e477049c3cf26b0d3a160bff95b37199a0618b731ef2b1a56e0efa1e74f95302c00dc4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
a046fa4687bfde3364a987e756b38063

SHA1
6fdb5c7d74ae0beaaa863fd94f08a486a75b81e3

SHA256
b748ed89ba9479b62eb17553e827a5b09e3d6d7d25329fd3acb77c7f9f2f4330

SHA512
907ac37be186601723ed26a8c281ff1d71f884959ea58a07490e621b6df57efc9a2303d41e04a5047168aafbf4a2736095e8e52e7b933291aeae926fe34c5c2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7465c6c079968aadd7342878aa79c2e4

SHA1
28b512c3cb2ff20d1a91dce687564041a4328eaf

SHA256
9ccedaef369008e65acee12b39e10827bf9d79fb09b5d2bbdccb9f2871882659

SHA512
e65dd6a1da16fc14918064d6a710ea7cd586ec49054e9cbb63e8ce5e7d83ab55607d96ff73bb08d3e8e5e69449f4e0b72c579f3b610f04077feb921d1cb509fb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
11e9a528fc92b7a99e1f1b27ea49344e

SHA1
6d2f022ff31dd0512fd5624626a31404f6e9e244

SHA256
e0fbbbb5b164696e72af4f27907bc96c0514959b2fe8736c04fe40113b2ac1bb

SHA512
912a006f657da13ce32d8976d7c3ca1fead4cf8debd68a895e19aab51167014af6ac35fca569938454833aba92a04388313ebbea90e1126c8f19f5ab32f3ac5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f855e7b24837fb619232c83791d2fd8c

SHA1
2bc9f0fefe9c8ab594e9ac70975c1afb550e7d8b

SHA256
0ac9054dcae78b6ce4a5bb90dd2bee0a50d16c96c4515ae66db2e4193e5ed01b

SHA512
a9b1ba1d207a89915f8d4e1690342372df5bc0ae1756297e3778d31ecf0bc8dc4c70071f44b347200f1e926fba36113f79a7347ae94f3fd6dba32f25ea51c186

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
5f9d0f625681d4b2460bab05c55be546

SHA1
9f7494672e222183258f3f406b4fc49492e28a55

SHA256
7444792d211b680517ebad2f89e39720f2a8d15615b1e4dcd37426276c81add2

SHA512
8549a56de950c7c22ddd01d3c7e2162e50116d1b1dfcfa612f11046b4ebbdb1ac8f65da37973aa127c0bd71d785b3bc5904a596c293b50686bce2354aeb1904c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a7677e36-a62d-41d0-ae5e-e04a6f8c3404.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5b734b71a8b1d80d1d769d5c57610427

SHA1
3c0191151bb7e11600f83f5320bff1da8b4227df

SHA256
f098e2d90b5f497268ee65135ca12cad666af8c0f5769450d1e147ce290e1049

SHA512
4511c2fd70ae190261d12010fc57c9e184e7fab76d740e4d35c1afc504c3edc89728ef8158aef0b39b0d6f1fcceeec349726a48f19f9272fb63deb49b408ca61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4b35e2682cf6e19065321bfa086e722b

SHA1
0ff373a926aa47b3d2cc7d6ee0c20f5af73b6996

SHA256
7781161fc25395411c50831be3872ff7a39177bb11b8fc0386c0e9fdfc1f7c3e

SHA512
b3df0925f03c90336f30e151ffc359eb5465e44df92fa406d359ee4f656edb60aad7530e216972cb97c26ff94dc8f5795cd2f519a6fc8eeeeda7cf9eea207cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a48721b2187014e2485f84c9e63a9be4

SHA1
fbe38778aef38b303999b4a509df2e1a8a162ec6

SHA256
ee8ffe0893413958818178d17d9ec21d397cde1c84c67ace7eddedf050092461

SHA512
ea6e7708c02bb8d4c846610dcde8ae8ad6a5a30c5399e4ff6c8364004ae78b813b40fb9139b81ecb379c1c6242d8adaa9fcc63d7202ba2c7dedc6cce51622e7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
95f7877c50f739396a4eb237cf72332f

SHA1
daa7cdba8c135074fce87c20005b6e662b637d39

SHA256
192348ba2124c37b6d0df2cefde5fbdf26e8dc29765bc7f434a6df11b22879e6

SHA512
178b419bb8022f0bdc9e36c4424259906e5df4e4249336ab81460a7974a3e303c399e04448a6a9f9eb227e63d1b4db12caa37468b17a0ca85d7ca2e4a020a87c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
37a271fc4065b895649db5a2d4cee788

SHA1
05f1d29c262e53e87a3ae9d74488f4ec291e84e0

SHA256
adeeae6663962486c001596251197be5e73bd7b1246de4ffb0d0db2ee048b718

SHA512
a3d068b1555617e419d217180837a776a3bd05f1e5b569f1c6759db73cb510ce29af5b8b272e950d21f9c9d80632ac867b0c6fcf1208de8c0acf67d73c0613ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
99cc49358cfa3628888247c84b312722

SHA1
72df90d4341e204b5d695a65f8f0575d75d6d342

SHA256
570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757

SHA512
1b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2a24a92ce21f6fdcaa8878b30cb73e27

SHA1
bf073c66d874abaa066b6c185984d3a55dfb7c17

SHA256
a003f54ac906cee25ae442272d74714fccac6ef724b8603275add6e318a940f8

SHA512
7ea0e2936fadca1b61ae4aae263ab35fb113808a84c717d381e01f0241c72e38dd7b758d29dd98ababfb4e9a9f09379584d0e875bec2db7a6d1f0a0a308c84c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
dc018137a4bf21ece9f1a9f1262f2aa8

SHA1
ba47b9cf613115015015deaf622154c355a3e6d3

SHA256
37f99534658749d5a9e4d5eac8ab7f40e70b99c4287ec45084dfde2bdeeffe1b

SHA512
fcb30e6cf180f583025549abc22186d58f1789bb7598760fcaef027f8466047284ef2cf971fc3d24fb144b6f78baa039333e0b4625cc4232e082baff19516f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8f5965973e5d2882aef7974d5aa0429d

SHA1
ce6b667cdf5a68ded89c444f8238fa666ecb6675

SHA256
dfe40083a6e593d60d5309ba852694109461fbc27e6920ef4260b28ca9da9abf

SHA512
1140508a2ec639458a6cb52bbee07fbd65fbe7bd0de7880ef20a683dfbf57cc12c7ccfd2007d8b1405afc67a0c1fa2b6655f2c7bc2e53df1be6b5f6d5da7fc76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
83bd5dc800db48c38eeddfb75ff1658c

SHA1
bea96e2d374b4f0e0fe569729739dba7570df315

SHA256
f8c83d95a2a0404a7adca87af23fd73309672a19e5766b630714e1d69029332b

SHA512
baa0e7088e55dcea791de84624d29a5d200d78babbafe59a225d49f5f64a302c56cf09cf470f36463420c352e50b2f898c6256d328b477f7d75929ebcf417cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
000753d5ec659b66301b8aa53ec11848

SHA1
ec6fda3e0821855de15f14597eacd737d135c791

SHA256
01c053663a7ef3a0e98cdc4a04ec009dc6bf57456eadc13f54b85c4553605a76

SHA512
a3e3eca007519c39a30b8cb9dfae5c3d027f63b8af10547410fe669cc920545d97e94bac1fece7c44d37765bf4977366c703846e223162bcd684c1099c4c4c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578184.TMP

Filesize
2KB

MD5
9789813c7b351abcd4b4cc4821874f82

SHA1
3c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03

SHA256
899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2

SHA512
9c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
31677d2d05b17f602f434450ace9a0f2

SHA1
0a507b17810a18b60aa50379e03ae0f9dac57b04

SHA256
ccc3410189208db2ebf38809d67170ae3aed9122fd90b6e7c7fd3dc147d79901

SHA512
e0a0b175ba07c0e9adf82e44973b197b91001226be8780a311655179e39ee2f278b5e2d53b0dd397fa445e3eb333146fe71022c725044269ae6d298a0b6605bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
232f1aa9248ba186a988f21b545e24d3

SHA1
47302e360901975504888908c30678cb0c673cc3

SHA256
a2be394c5dcf91c35d3399be8aadfcd73524695edb7522e31ca456edf0b396d3

SHA512
c8bc3f7d963dce7b5f272bf0c974d6913047b4ae05f846d61a48ce3fa1223c5251d48ccf91f828b4b50005118f418ed8b96114456538c7bf20624e579ca1b5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
66d4b34ebba1a8d736df1163a2df46d8

SHA1
0fde9b300fe010aea636ce88928271c6fd9230cd

SHA256
61eb0d62053f9a7acfdfe7670d29c899c4a17588c35c0f6619f8ac5cc3e9b974

SHA512
a99fb31df4e49b58de96bf5898dbf922bdfca2f572f72606957869de49fac0c48532c50bd4a76ce99849a313234a527b51c59fe6c380bbdb2878054cd1947d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
44b56876085eddf1d9f5f1cd211cb389

SHA1
c14296b00335475bd71250f7100b8f7057862fb9

SHA256
54f5c6f66642a0dda39824f1a3509f9b077df0ead673d2dafba83ba315911ba2

SHA512
f1cd9a9a9580ec0f5aaaf4e057b19891e674e43266cc1df5f28b79fdff68e9e2637ae77048b450e35914bef5061a8712e6fe9c2082d75dab347f6143ded14b2e

Download Submit
C:\Users\Admin\AppData\Roaming\7956302212d07ad8.bin

Filesize
12KB

MD5
e5f1b9b46799024a24e9c47d7d62dd69

SHA1
9c37aed31b507c94e83fd445e2bcc015c14a5534

SHA256
c77978e2b65f847116143552a7fb4034a5b1d64ad959541736c291d55f02e25c

SHA512
520b9bd81d20a6febb1e6985bbc2a23ac61c09de53c993ee82ba0ba31ffb611fb12b20096cc808ef5381727fcd974c0312917b60a220eac61a7ae02c90d8acef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
570d63b476fda99e2592003c9b38dc7b

SHA1
285cf1dfa790260c4f61d2728b14e984c81a33b8

SHA256
3781637547df7a2e7304e7ca1a2ef532eae6403edc75a6fa585227c639712380

SHA512
2cedfbf1ea6920969d81e597b3877e853379311bc8d7dba8dd509534bf4678793a25981acb9585d10c931d307e33e5482e0c665e9961110c019085d1907fd629

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c884d4da99459245e80b62d92e4baaf4

SHA1
6edc2e92d8bfffeaf453c015ec572aa643dae0b4

SHA256
a18dd949925b213a835d5821c7bed8eabfd34b864db9b4359ff5412f93450029

SHA512
068c3a997d01607506234cb29248585419e693bf635a0644b6da4fc899785c917efc27f2efbc3c32f5f2b32c431dbba87f3b12bafcd9606065d72b74870ebfc4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1997c80ca249bfd033aec0399f5d19fd

SHA1
30f4f65c4ddcb74f758bee0b1fdda27ddde53cf5

SHA256
8e22f853fbb1bd8873694762eaad5146521e9b0b7032b7f152bdd587c8fa9694

SHA512
ac777b473233984de03a49b68b62d161a8e107ab8bcd451bdab08c26c22baba4c1571ec676d25dc539db6a5fb2bb19d266ee26c4c9c7de89bb641ac476b07bf6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
92c5334bea85ba10d34ff1af3d0c8f8e

SHA1
899df3328201fb4b13a90875c674c2a2c790fdf0

SHA256
dd3cc58a0b8419f06c4c4f4928d105ac531b958364c8b37a0a6c925268ebe555

SHA512
310cde024844432cc0a4688f9f76a45eae716af93e40cbd5f42bf8cb446cb779448b028453b3ba7634bf6f4b377fb7c953089b39a13ed0a2f25dbb5f90f162a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
7f41c0ccae7d1306749e886bf5f480f9

SHA1
65bc977afb6a4cc787df311cab9a510d2b8c04ba

SHA256
786b5da4a101c7a1a886f9c86e2e5d7c0820dd8050a3e41df27bec644dce347e

SHA512
9bb233adf275ac666522cce4bfcd638f37a45b6f58902fc2409c6bc5f6dae4011a3f67a9e693c23ed841dee99a6d7f475775983bed5d300258fb031309ea828a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
f05a076fb41d0774b4962cac05edc208

SHA1
6cfdc9ddc3727666ff6f029e7c8bdb2911cf9ba3

SHA256
cc91307a53c1a2ed2acacae7cb7c8e4db577ec86e61744e4c2e8ea3f94212eb2

SHA512
15560323bceaff186c2509fe63aeea8601f44283adf71f3879fd54d98ff8b8b76ba94586767ec9b29e6dd1e8f8b56b73858ef22268bc3f2a45656e799bcc2cea

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5d2cf950d44296316f464254b3dfe441

SHA1
ca817fc78057b48e74e42426389de208a605051c

SHA256
3f1ea17884877d57bc9fa932b02bd3d4acd874018b957acea0fcf5dfea8e9b54

SHA512
353b6d186598991d41eebc129c48c2c53b8715ad2eff60867cf47f6fa09aa2ce047258977baa784fb4f132319dd3e2e7af8b059d7fa837f057036b1ea42a4452

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cf004f021ba2788f555902d868abfdf0

SHA1
8a6b0614bfa3498131b52213c9a48b38f54f1ca3

SHA256
259001dd9f2ed203b6ca48dd6338179ee73ccdc5063e13af0c44fa1bf6299c8e

SHA512
35f45d1d0dc93b46146fe591e4a3f05b6c65453fc2545b493b28ba7b51f6899fc28878507162659d1d6e3305a9b4e8725182c8032dd80f888b4ac348776ebcbb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7a567e93e1ffe1db72e3f777673577eb

SHA1
13692b47ba28c736ae5fb6761cb8b603894287ac

SHA256
e11536a7338ee71e227b98237087e1bcbf26f2c4069ca321fefb0d39c83a3332

SHA512
daae29bc80a7f376662c161a05b2463fd6b6b9fbbdb36cc078720b9453472c3bb309c5809ad6557439922aa9af12caf8992cac6fb1d33a0477fd2cc327c2b99d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
14d3f3c167d307af0981b588df3ea41f

SHA1
534fbb157583c7c6b6bfc04721ee4039b6f24434

SHA256
514abb96a94f81552052b83ff1854e2bd4b2619f2f1bd3abfad7246af06f0947

SHA512
488bd502ecc5110d8929650719948074410a4803b4ac1a3580dc6f27675176ee23f14040d2313e467ff7a0cdeab52b9b6c3cf1df3b7297be3351543268cb6f9e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0c295cfb1c378b5df9d6acd188b602a7

SHA1
fdaae31faddd520f58f9ca829f692ece2e260e5d

SHA256
37f11e30c43c08967f274eaa96436e92445ac0e0ee62e149343a84492ce24c91

SHA512
2cea43daaa318dfc4b196c3b2482a5dbfa79f0aa79a27c8d848dad09b3094db1d755c621c4b44cd0a2f4b2e8f09ee229c0e8ea3f239026f4f0228412845f26ef

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ab8751ffd636a3c9b3c801d71b56c930

SHA1
1e0e6e4c3e09ff2995bde9fbadca319ff3b07a7f

SHA256
b55c99489760bc71269470d70341fe55a03808436e0f759349e05339d1c73fce

SHA512
9cbfecf2b6073f4a73de0c8dd80f3402d18b18451d127ff63c50ed468edc36cd968bc7a86f6703b2500794a986fb648700f7820ba54725da9181bedd3d85ea6b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
22f5cf6cce989c6037ced799bdc24696

SHA1
af34d1109ba8a08ce7a31d87fe29c2b3ab0b2a93

SHA256
e42cc9c556b7ae141dc46867ce2622e5d71bb5a1fbf1b6624646588b24d3fdbd

SHA512
dbb86d6e14e1f59aa871399651b53327910fdd6f7dd169ef68199793d51c5a4d93df423f1359c082cbfc4c3886cbb45d36165f2b7e13502c73f46750d17b11be

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
500b62c2de17ee04b80ac591fa26decf

SHA1
5048289b4df4e6d69d897981b074a95094bae670

SHA256
e1522ded8f7f23c3666a5ed922c15aa00545d0561b30282b3cd42ffd83f4e5f3

SHA512
7de24791d5c891d7e347e1cfc08f099b0c6be1538097a08f2429bcfb08ec2ea7909785a7be4ac88fcbc77b46449c0ae36a2a01f8758f563373d3e1b9ef8c9575

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
490aa6d3f7adcae2221069d36e9aae0f

SHA1
a38fc9e64f20b1c69195c92f75da8a106e2a2c75

SHA256
0d689e2e45c990ae16b8ac3a1304a13ab3a46235f7eb34aa5868880beb91121e

SHA512
988012cc36313b77a3c5f600722285461404b35a558de2de60bfe12d5cf890cd87da029153ec2c0874030acd3a87e9dda997ed09d17d7ed4c776c20d106bfd02

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d500720bdb0ce6cecfb88185085a63d1

SHA1
391e76702ba8e9f69db3402c586e8c7444d5bc9b

SHA256
3c8acb800e5031ad37b08a73b8a4e678d1758a7dd0aa89479613441eec35fee5

SHA512
3c47b4c596df2a4b743958ba9252c019af0dcf3ead0c57d9613915ea62a59ee80172de1581fd61465c0279f49c6ba51543a069aa0d12a69d4424ae2143755e22

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
645b4d342e8804771d75486a93ee0c7d

SHA1
b4e97f5af63acbfbaf4bfa9abbe0bb32e562ed24

SHA256
f6f938b302ec9852d60180bf72c5c43897acba21e5fffead84fe93abf49b98ef

SHA512
f8feb65a6dd14b8839b353f82279411b24ee5d298ca6dbc1de6a1a41e2b8fe16cfcc45cac468643078e2c957f232afc39afb1a6fedceebbd70e58b42d8d23e86

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a57e00e7b64144dba402c6db0f7ad149

SHA1
51a33fa8f038784838ba3a6c0fd16cfccf49de55

SHA256
26345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2

SHA512
a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b5935b445e4d54612aa5e10e0d8423dd

SHA1
b1109046084efdbfacb3894628eefc3f39ae5731

SHA256
27b1245b823a7d316ce36ea8d024a1edf1e80044e4722a79887bd30b3c312a63

SHA512
56083d02167fe983843dd38e2483ef4bbdeefe43db9cf8963bb35bf6bf5b1bda00e52488a756639a9c14133b8eec8682b01e36d98c0ed38bcf7feccb7054d364

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2c8de7bcfe2e80d8b8a50626554f2a2b

SHA1
e770153ebdcfc3d538fd305dbdbdbab3137830bd

SHA256
10536b8fd9bd794472bc34723be739892b4e74f1a9fe7219e2dbffb031fa7a19

SHA512
ecbb37c6d3dd65e91ca3899163891062e3a66f6e2fd08a745469b039cc07cc95033c46dcd81c4776f4b397ad62f0ce4ff78c335a75ff6576427eb452e6da48fb

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
adb291520e7c794387b6cc49751ab021

SHA1
3c8cdce5efe1e42dec34cb5f806a212a8d4a2cbd

SHA256
59e965abb4a1e5fafeb9e3c0822c44cb88b9328c51dc22d72767d2fd65f2c223

SHA512
1d8d1400473f8e44aaa67148b77961f15374d369a4e416cdf21e4e3ceaa7ac4d4473de48481cba80d60442ba73d0f79d897299341c8a145b630591b867acac2f

Download Submit
memory/112-288-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/112-14-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/112-30-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/112-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/540-484-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/540-551-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/540-492-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/552-522-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-518-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/552-511-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-523-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/676-574-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/676-504-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/676-564-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/676-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/764-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/764-342-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/764-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/764-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1080-424-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1080-491-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1080-482-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1080-418-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1088-45-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1088-88-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1088-85-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1088-57-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1088-46-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1408-477-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1408-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1408-538-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1752-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1752-44-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1752-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1752-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1752-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1752-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2196-539-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-548-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2376-108-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2376-91-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2376-92-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2376-98-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2376-104-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2988-373-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2988-387-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2988-388-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2988-382-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3312-109-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3312-345-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3312-116-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3312-115-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3312-107-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3412-404-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3412-467-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3412-414-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3480-441-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-449-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3692-455-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3692-399-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3692-391-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3792-536-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3792-526-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4660-457-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4660-525-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4660-463-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4836-287-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4836-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4836-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4836-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4860-429-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4860-495-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4860-438-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5016-576-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5016-565-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5092-561-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5092-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download