7d8ed619b308e46b760b0a925bf15d9eca4a975f68209a7e5bec481453d9187d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
Size

5.5MB
MD5

7395ddd538e1291bb92184d6befca514
SHA1

d6247674c5d926c71f30239e12e1fb9a7cf0f708
SHA256

7d8ed619b308e46b760b0a925bf15d9eca4a975f68209a7e5bec481453d9187d
SHA512

059bd18fffa2b1c0fa7fdffa0da14ca665d3fe3ee94e10a1db454398cb2ebe127e75aaf258afb6eb344ee489a6ed338940321d158485d976b49cbd288a7db30a
SSDEEP

49152:PEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf8:rAI5pAdVJn9tbnR1VgBVm6/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5004	alg.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
2088	fxssvc.exe
2964	elevation_service.exe
3960	elevation_service.exe
1608	maintenanceservice.exe
656	msdtc.exe
2584	OSE.EXE
2840	PerceptionSimulationService.exe
2124	perfhost.exe
4640	locator.exe
2088	SensorDataService.exe
3504	snmptrap.exe
3032	spectrum.exe
5148	ssh-agent.exe
5320	TieringEngineService.exe
5472	AgentService.exe
5616	vds.exe
5712	vssvc.exe
5964	wbengine.exe
6068	WmiApSrv.exe
5248	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a684d5b512d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000235654178187da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbf713178187da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e4b4c188187da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edfc3d188187da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a682df168187da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9e4e1168187da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
3812	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
5068	chrome.exe
5068	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4652	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeAuditPrivilege	2088	fxssvc.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeRestorePrivilege	5320	TieringEngineService.exe
Token: SeManageVolumePrivilege	5320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5472	AgentService.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeBackupPrivilege	5712	vssvc.exe
Token: SeRestorePrivilege	5712	vssvc.exe
Token: SeAuditPrivilege	5712	vssvc.exe
Token: SeBackupPrivilege	5964	wbengine.exe
Token: SeRestorePrivilege	5964	wbengine.exe
Token: SeSecurityPrivilege	5964	wbengine.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: 33	5248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5248	SearchIndexer.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3812	4652	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe	85
PID 4652 wrote to memory of 3812	4652	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe	85
PID 4652 wrote to memory of 4232	4652	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe	87
PID 4652 wrote to memory of 4232	4652	2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe	87
PID 4232 wrote to memory of 4876	4232	chrome.exe	88
PID 4232 wrote to memory of 4876	4232	chrome.exe	88
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 1400	4232	chrome.exe	91
PID 4232 wrote to memory of 2208	4232	chrome.exe	92
PID 4232 wrote to memory of 2208	4232	chrome.exe	92
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93
PID 4232 wrote to memory of 3288	4232	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_7395ddd538e1291bb92184d6befca514_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2e0,0x2e4,0x2d0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb191a9758,0x7ffb191a9768,0x7ffb191a9778
    3⤵
    PID:4876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:2
    3⤵
    PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:3288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:1
    3⤵
    PID:4996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:1
    3⤵
    PID:4884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:852
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6cfc97688,0x7ff6cfc97698,0x7ff6cfc976a8
      4⤵
      PID:3108
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:4788
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6cfc97688,0x7ff6cfc97698,0x7ff6cfc976a8
        5⤵
        
        PID:368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:8
    3⤵
    PID:4988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 --field-trial-handle=1880,i,8963693730385893855,7870758871107423030,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7af8a29e1ebd0ae04564280ccc486635

SHA1
10fa1516479f21d0cfacff69a5a26a206af9a71d

SHA256
f8578448182f7be130dc12c11c2a0b7a259d6ac9b45c20cecd4c4a6d24768fe5

SHA512
723046cc6b0debcefa884d3ea36ad8dcf599717ecc6401649e007f27507524679b5723855113ced07a5e36be6d6d510e9f7c4b29767859407c9429342d54020f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
467c1b5867dbd5af50e1e20d1735a215

SHA1
6e9898b57e95325d92bb1eee37e61fb69154250d

SHA256
30687583bedc352e93a9972b05f81c5d727d6225f2cb3d9443b5842c2f90e244

SHA512
9e919e2d6a805289647df942566b2b3956c501770b7da3817651f8cb7d736c8dc479208e7ab69dce7c9d7d37e51a98d718016a422e12c54305c37e592570df53

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7dc51a1902b60c5c9c14c5bb9b9e7cd1

SHA1
acce7b96b8206e2bd9d0ccb42dbbcc6bb9fb8db4

SHA256
69efbc669c5790b4f5c4963d3cc405b9b1a4a17350dcb96136337e5062c4d2f5

SHA512
3434029d15f599f1ff46029aec6eebbd71ad04b9683a73d0767c548f4bbfbaa4750b026bf0eafb5896d03f01775e9f0df90a6e9638992ea32af4c5c4219c02e5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d302d89fe026af2a5599abdf770c6299

SHA1
91a8c24d9265e602d3a1079d9fc4b8005b690c73

SHA256
2a29e610af2f2395a65ea30ad2c3266854983632d35f01c5c3bb7888969b2645

SHA512
8d81d56d0323dfb5dd19a5d5428b1cbf7a45a32f1db28c5a95b828dfc1bdc3eb910c16053dc44882726a134db861d199dd13bb1ece7733ef7042df0a63116301

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
af5ff0267e73ceff9b7e11d9569ed5ef

SHA1
1583fb03ccf89fcbaa2905676a95bd0d527d7fdd

SHA256
2a7421564135899e89498c800d89785a38ebff9a7650bfe534595267cbaca7dd

SHA512
1a157a01c5b1bcfe4e8c4695137061f3e9fdaaaf1a587fa5c51a8c39550df1966b71a89844d17d02ec72909c99de5572402d09a740ead833dfb6078fd3b34794

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
10648cfce1c664e0027aa638ebb1319f

SHA1
ee754350dcab7719e29945560b2c4fab8721a4f2

SHA256
e222f5178c8531c32da4ac29c4ea62daf566805ef0126abc5e231134a58650ee

SHA512
8f02aa810582c2a4e1edcfd676d2292d36092b4cceb4ef0f6d36d506ee6be5559b211ae3d01ccdef2b57a3c3477cb0d06408fa4901d248d685e356f6af7d5589

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5b8f5e18d0d2fd4e38af177e513f369b

SHA1
1a9f9f632e155bc1819431b915bdaea68e8c3486

SHA256
9334403c0551e878dd01640ed09871999bc99950ac9efd0d007e54c893469047

SHA512
64a3133dd1d9763a2352e728252f3ff7b579f45095eddc38ea7383e649043f57549ad61199774b732d21ce45a4f01a1118e438e2e7ac179c862cd21116f21a66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82aad6d201f6f89fa8dacd873bec250c

SHA1
4c6e135e5fc9ba4a2c4df00df841f6478b6be71d

SHA256
5564fd1e4d8a9128872d038d0c723925bdb2d1f33cfeef79940eba1100f27618

SHA512
8ea690f642546417be03743a38534c6aa8571967f570fda25e5ae5b9a4d687f522f45a9954db6418b20456448c71d12aef46e387850fc0350c8a6b4ce8c74656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f6a4405a58f5b6172556b88b425b80c2

SHA1
4a2dbde4bdf36c284bae08141ded506ebe9bb6ff

SHA256
a4dcee623deb379b980af1dae1aa73464e9670b8749ef0e8df1974fb821d36ab

SHA512
8dfcf3a31df1d80d8d8f02d38e1194363cb980ad6018ae2ba20789be04b22a7905537ce6f3b56f4e8156659aa5b5a8a67ee7bc48935e63264186a1ea8792b990

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
356d27ed23cb8d7ab236a2da05e6cf30

SHA1
2ec24db2ee2349e2691a7bc09d690444fbbe86f3

SHA256
cb571215cef8d0af3f91bb14b91470c3564f4df59e403f54c5cbcb60182cca70

SHA512
7bbc66c074933ce6a1f4562ce919fb7baf9c5243a13dcc96d54e06838a12ddc8cbb37eefde11f6c1d16e79cb7de45941ca9640f8017a557a7c21d4d5bcb1e9c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bf400db6806fd8a1681def847f7a8316

SHA1
a643aa2890044308b445645b38def460e9d16725

SHA256
b6e785b5289eeb1b33976a43760228124ff5462273d825550748626f8631990c

SHA512
b78d7fc47b42176943c997a71df200f0fb197b9392964580d569ee2a65fd3e1cbc1976f29d1c155acf7c38a76485c93cf4d31059316f10a904f8e466fbf24c19

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3b3b6105320d82bc5e3d1936f004b633

SHA1
db4bf114348104de5111e1454144ae006bb9c1db

SHA256
eb74f7fe42010fb95391d79eba387d44587505e4561901bf82efd45a0630b72e

SHA512
dda7c184adbca11968cb346468dacd8c81ecc76ed7ef2200ef08c30dd7ed84c9f4fcac4527d371798fa08822cee93a11625d7088eec19d64c6599e960b8479d2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a4180bc57d74964d8ab7225c1621da04

SHA1
6201f7f2c0d187871060c63ee09b8a7d2990b8c1

SHA256
cdd32912843240eca337b147d180894f2bde7abae0d1c3290480ae3a02802225

SHA512
777e9b0fcd51c78ca04a71bff7ca5599ae835685b1d6b585208d60ee16f6b4f0c82cea1dd40b1dfcb01a3e574eddcbed22981e1f8870926585b2a16c21bd6b13

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3e385cce5c0aa18e7bdb75e39100c0d2

SHA1
c0f3519e88da66916eb5f046b4c3c78ab159e150

SHA256
4e484f859f7cb26e7e6138c9a80c1ed8ef0b2daeee2a67444bac56e87eb63681

SHA512
73947cc97a7f67852a18af5424dff0c5020bb15859351c6e49a86608f14c3c32cbdbf0149607bc1264d3744fdb7616908d61068f7fbae6e619e6bec8bc29b3bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e620ed8afe9dbf9cad1a4da285a123e6

SHA1
0703c1700469b37d6a2bf090aa5a966775e7eefb

SHA256
6df09f29434924f605048feb6385cad3b0ca2e00916d0ab633eba84cc1fc1836

SHA512
653305a579005b72e472db48eabe2bd3140342bed53bb8ee1bb39a976247dda64083c735465ab8c93954f33ea716f8f0cb36749e7464d70385b1eb35b165d8de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
86ad60268afb932696fdd58789030068

SHA1
531c85ea59040d15c8b45d6c890561658f9caa59

SHA256
33a8551253e417c1c731eaf3794b9fc964ea0d0edb9d6b10df79f21fc9c77ea2

SHA512
c12a3d7d2dc948268d0d8f16c8217e9e63793337b39738f028f3b59ee97962d641bf0005349410afa4bd8decc7abe3cccb82ba6f806c173a871f546050cce7a6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
da71558722f0be5720442830366e17c9

SHA1
76cd2f3c7eb5aa00b870f0847a9478367944abf1

SHA256
042a565d3068f5908e539ed40e44876ad50f178b1c66c1be37370296d8f182ad

SHA512
8346248edbb5cfb61dee99cfcefc3a00e7d3a18f756b46991a1d937f4811f9a113b9222e50cf20fdeef47007219780be6cf37c1ae03dc00b5c2971588ebd6427

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
32c8c18d2007244c997ebc391653a312

SHA1
4038a015d97b95ff67bc93e615534fbfe4dea19a

SHA256
c15e1a1c0348f2711ae5ed630922173d976af1c755fe6da9055195a8ceeb9686

SHA512
9bf177a13c11f727df491e7d99d5c4f2218c8485e79d3f49b52dec3084072c002958749078d07cc2e2e2a8ccfff769281173f75aa7e88ff56783df189bde351e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\eba7b0a1-bbc0-40b7-bfb4-393169812745.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6b31e7b30a6cc87bf9036cdf5c836860

SHA1
a21fef3813c12c2aba4c1503773dad4e7bdbc663

SHA256
354075ee8205c0b6d50d576be0265f86a9b6e14ed79470b7568feef19f6d4ca6

SHA512
6ee61e62959a16d7f7e6c5fbe456bfa1a8d5d3e0db39718befe37dd6f31b7a57a9c53e38917c9244fdab946ba10d85663cc244d6c391ab2db5a83c34222fcf1d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
4199c5d739a451c412f77d1b80e4822c

SHA1
6bae646f952d2eea106524ebd2ad0a134464b92b

SHA256
49907be176bccde47cad2bcea086bbb3c8d436269fdf51ea36e3ea11b660b5d2

SHA512
6ee62aa3c308303e3efba77101e2dd1e6720949136bdbf05ac012f10a3e09a3a53173f8c3a88e459bd7045d79d56a2e27084461d63794153801a023cdc70b4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
99cc49358cfa3628888247c84b312722

SHA1
72df90d4341e204b5d695a65f8f0575d75d6d342

SHA256
570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757

SHA512
1b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
72740a984b2a706eaa8fbd8601737904

SHA1
45f6a435cd45bb3f7e9f5de2e87f5eacb28f834d

SHA256
05e007bfe35d5dbbeca7fa03457aaa9163c385cd831018a12fc0d43592fda765

SHA512
d065a97bd769c0a8e1411ec19b1acfdfa0ed1e4ba54cde5effe5bcff1e640f76fcbd5929276d9aa8d01101b0da81142e660087fc4a5d13296916282b7d12f717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
90d1d142e29c53d2128ae18159e6f520

SHA1
e956d5cdd598ce4804672dfa3752264c3b873e83

SHA256
939701a49a83632c7499bbd732960341aa3dc1ba72f995d6b5ca1e614f809aa2

SHA512
1fcbba2a2f594fb24550af2585a9f42738f88948bd18dc4532903694c3d8748f4e7e0e8f208565b1a3505b732d15a847853ba252c3aa57abe11d0a2b2094286e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8d0276545e5a2dbc9856441292513af0

SHA1
1f645fbe2feaf50289a19f685470beafec71dff0

SHA256
1fd3cbbaa6ac61ec9951caf5add35ed4f14d56a42beb67a402fe33ca53462413

SHA512
b0672b5cc7e7192b2377dfb7e9c7630a64cc89311d8828964f83940bd06c5e925a80f3e5098fd7eeb5c2c81abfe4bae16dedf8bab3b28c49a94bf5b201f3d1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2bace42dce25ed3fa9cfac08df65cfcc

SHA1
e56f25dad9888793b62f87cc683cab4d42616396

SHA256
124a944febe1cafd18bc8015f20fa11b241921cdb3bfb8f1c96e43c0a7c4945d

SHA512
c03d00bb3d746856601897d1d00101711ae873d9616319899ce4e18d11c9f3b48964caea97d197d534d6f875b64dc284c0817e9a8808d82c9afd873ec88e5708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
288b029f9d353eacee0cce37614d7426

SHA1
d0089c8952dad0fef893f467d414c47e8a7ea1c7

SHA256
895cdb98706e8f1006c154b9d845f4d75c8233493bbb34d9410ab24350e18f51

SHA512
a72405140099749be066e26ebdb4b39f24fa50e6fbf15903e117ff5fce018cdb6fd5ab6c35c1841457f9edb4ddcedc7af440d6e518c9accab53701516afe3a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578201.TMP

Filesize
2KB

MD5
9789813c7b351abcd4b4cc4821874f82

SHA1
3c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03

SHA256
899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2

SHA512
9c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
18c0f7bd536a2c87ca1fc4ccfc9a3f6b

SHA1
d1b0c218b6e5ef3edaa210163f985be25335242d

SHA256
de54e42e0f4c072331aa02c280aa66fb50b91cb107f72ac3cda5876cc01ce11a

SHA512
ac65a167bef58e73cf048b05104317a1e2659d45a9b9f01ffa179708646af4771399d18d51752023c29c6d5b13a23fe038b519ae3ae2ef36add4f994fbcc3aab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
64908e4756a943986c7b099acc795eb5

SHA1
8879823cd38ae03c9e6b413d7f4ff4d49b41a403

SHA256
ac983bc58199680bf721edb1d452bb9e9f1ff5bf3e1d7263990145655d6c267c

SHA512
f487c3a9ecb2f1f2e2caaf7d4e48772012a61b24874a84b794ecd6ad73f5900ed82a2557605f6fc44bc6e57d4adc664808256060d601f01eb4d66224418945bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
50a3039452758f011c3cc8ad596658b5

SHA1
1947636c5a175570929ed9aadccd7c1bd1e0109e

SHA256
d5429f49c3671caa2db5163bebb59e3bdf02c7d5676aa70831df83ccc573dd2b

SHA512
e426bee64a1b684c76a41baf078ffe9312ea2c28ef35144349486086c2c98b26011d4abed084ce335c16d1986c36f31b19e2095060816cf98f83eeeca423ec5b

Download Submit
C:\Users\Admin\AppData\Roaming\a684d5b512d07ad8.bin

Filesize
12KB

MD5
7380eb92d205f696f146dbab2a511c47

SHA1
fb897b3288e1d97d419bcdc2b91cfdd7be7941e8

SHA256
c6ac5b4a0383f32158b6b13f699a3457d0addf80c35c0fd13f09bea928336920

SHA512
5d13f2c2ccad9f5e5d31951dee235548a674b89f541ed3eeee227ec53f7cf810dcfb4ecf90f4646b98c3279a2dc0f6791ed025a02751665c2cfd83b5d94efe03

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9a68bc859dab689ff4b4662f50ffa85a

SHA1
5a140e201a495560c2a394c170b5d43bad34f563

SHA256
e64300be05e147c43bf0c9ee4692ed6a0e1f2d826714d53bf344a521f8572b96

SHA512
16bcb1d38a7653cb51be02c5ebf487c18a9511774e31b4ed85ba874f687ccf9222366705a466cebef9cf3b9b6ced054551505cebe9f127085855bd4bba3bc471

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7cb60a127acea6dd1c5e64ff7111f3e8

SHA1
bb7c1af26837efca4eec280bc51e1a3d1ce3d5fc

SHA256
f004b89727c551eab2bf4af9aa3aa9c5fc640402b35ca7b869566fbdc8d02338

SHA512
23f41c73d96c1833a08ef5f127f5ec96d0cbc7f5986c2a78db5ba559a136e6d75cf2bcc024112dca52c989102e586a5c3b95b7589c2b6db313755f8a29415a3a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a705fbe209a0ca0bcd9e0ea8abe4051c

SHA1
edd5ee95bcb6f5a7d473c0846d4522ee77a0ba78

SHA256
b6aafb0f115603743f552e71510444b70d1e8a5e487bb753264521e67644a2d9

SHA512
f383db7f97f095d49198e232a4d34132bc4cabba6a696bf5d90600108600776818628360ccf07024835e845b5be1d670f4eab9f70b392ab383aae14496c39371

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8727040f9f16c763b5f8ebe0853aff54

SHA1
e69194d0bc0b06cb5a3401d90380dc330ea7bf1c

SHA256
15decae5e74a60574cef5bc9a28f96c02e78365f6b57c252d5435ae6ef6703eb

SHA512
1e6a8a944925da4638135275e40169b7a60a5d0b157cc83b15cec97ef3b82304145c59131cb4124cdd48ea67729a2b95e5e08a83971a394cb6e4130b8ada5671

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
44e33dabc93c1d4ccff5d1bc05bb440c

SHA1
611f95b020ae42bd1c1af2af84f67cc3e8a6eab8

SHA256
b0436680b28f4c72408c39ac8caedec25f45995d69742d685c8cd1e94ec3e52b

SHA512
44db4f876793924e803cf32ad7d372805ff955036cf11e64e88c5ca9a3c7b3afa1f56a4539c041b5cd4420f33fae7418efd87b8bbf39f83db973edcdc68df883

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9815dadd2b02e11321bfc98f62f233ed

SHA1
2ceb200a83f63d762fc4e81eaefe6f98a262589e

SHA256
a3469a44774c0ae58d3d138845a121c4f4d4596265eaa1cad1509d8800b4b8e1

SHA512
8dfab5340a29c6db241d067d599f865f7b59cfeefd8fddbffdac1cfd168b45833f20388b39560c085ab04d035fbff0b4fb4f6e080d43eaad763f2ca4e5bebc49

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
f568f00c9505110be70a3a4ffa663191

SHA1
d98d3998a5fef57a8f096043126b29dbdbbffeda

SHA256
cdbac7713bbb1e4fb1fe19d2d9ad1ef2a181893c27008dd38ccfa2e818b42050

SHA512
a8bbe0e5f467ae9f31ff5f807b235133bdb8e092a425a0495bc0fc0514e15483dc5dafa227e2a043ca158065978ebd274e55a0c2261050561a5d1b149e6d69c6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bcb0871ccdd2ed7fde85f2acc672785e

SHA1
e372e32a514832534219bc6ff3f4edd81bc9e71a

SHA256
40ee9ce756bfb51a4ab16a8b60c6fb9c2227e0d41a308ef28b9364f8a9d3979e

SHA512
6433e3b5a288d34f472e060da32af873ac458e58ff7aed2a5797a17d9a2861e836a8575ad1ba2d05cfc546ce0e0681404ae58941e2f85599e814fd2b1cc45d79

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
de9d207694f22c23db933d286e61c19f

SHA1
777499ec407b2319a90cfa5e6e0289f5ab450f96

SHA256
5d2339d59bb0fc0449bf80c6e1bd86fe910f11065c6cf529aab0bf476c56cdc7

SHA512
9e044e4ed60c8c5bc5433098fd82108da19c90d9b81e563d973a319638343e7f178c68db1f2c3a2a55abc3e83db17f4442a619dacacee3a0e4bb856afc8f5ccb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
91e327b46d11110f9659d982a10eb019

SHA1
354e0fda4fbbc37c262fd15c15c59dda86fbdb51

SHA256
f4c714a6928c712b6edfe15593fcf26aa82f661cf9e769c119830fd68ef406a6

SHA512
eae3699f7c5359920d572dc747e10d93648f0cab73c67416d49a40de6b065a9ec69ca464acba9171ec0a47a8f9d50cb78126c72d804b6366fa3e0fea72384fd3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c6a6bff2b838d2654267afeb91904c51

SHA1
b72e3fcecb9001953b88e9637dc59b1df41fa850

SHA256
25f8cf87bd5a76e87ee4d8cf433ec59ccc188a9182924776b163576f085c6c6b

SHA512
b4ef96d1e8fde515b66193620aa22cc2e66a7bbd889761e602d2367500457423d3f8cf030a235095b8079a6e93582bc1bf3afbc5f022589c972e586c78433a78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ae2fc0facb30d50428f7a426110a8026

SHA1
93848e1b21e467e2fb07090a168ef44e48fd7392

SHA256
d17f7026f662df17c818937b07bb94db4e5cc3a9e948c187fd0ccb0eacf84a98

SHA512
f8b838defb2d5af01bf1eff6d25a95089e718dec078c3a5ef7d4ea5082eeded307276523ffa5adc81dee9fa724ae98b016cc5bf7dffd12f781961e78dec8281b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c1cbe4874f976a9f6d13d937273ceffe

SHA1
a932f32e600d10f6d6930ba4d61318956c17cf44

SHA256
7a5c24143ca5abcfff14de15f3469591d5e40dc34b7f22e4f69da3476ff826a1

SHA512
c64f24a9c9ae32fbf721dbc777c0df2eb63c672960a21d7f9d878562613698f838090dbcc6459fa1a12467ce63453a8a364514241e98dcdf7a8a1215c71c7d25

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d3ce5aa61e79132cae1fc29ee5147a8e

SHA1
a94344e943f1e91586dae62fd8a6e62af0769e3d

SHA256
e1438ec055184020965fa7a6f7e1b0b8398d2f7038ee01a8ae10798db91eee81

SHA512
a026898e7d9262d91a0f3581b4250705963bbfc7c872046f12444eeef217a87e8aeddc367e776e24dcfd6f9f4734e579fe3dc89978e58963f37677995134be29

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d8e28f77c09c0d5703ec2f71387e5ebd

SHA1
afc654f66fca259350ffa7dfde99616c71a4f932

SHA256
9c4f600295c13dbbcd17ce875a6b4a8f54b3ccb884bfe7e30d5fc0ee559b2466

SHA512
26f819d8dc013efb7a2bf01d3c8eadfe9b9fdd0fa11a25307a172d3ad73b7a81a827bc7a87e47ec2ed5b7e3c3bcdc49711333e7dfd5dcca6dc61f2a83f6af79b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e6916ff961f3e437c9ac356f10505082

SHA1
463a64ee750937183ffed481369372a862ee4d21

SHA256
9f19a656cdd40d6c97dcfb550c862e17559cf84e79bd5fd65dc712b4f8af6109

SHA512
51eba086a7d505a3f74a322b5485d66a4a3f7e5e9342312b0fbfae5ea866c23694bc6a06c2fc979e976d91b5cb1a5adbffa78e409637678787bc45afbfcdb1d5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e5d0eaabbe7d2da68238f66722934573

SHA1
0f0bdb507da9d85497e56c3399e709d582137e17

SHA256
20f53cb47e9827cb738a9f6f2e6b9e2e099ff078314539717cb3db1a44d84afd

SHA512
7072787f87d28e6222150a34fbb220812242a686ba7634b3bbaab526ad3773d34096c5100b80e136ba0e2a2adc4056601e0f6dc21a8f36df5062006710b4833b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d1a1b6bdda93d608669c73dd80d4ea7b

SHA1
7b4a153b7f17f686e985bca637057121c03a934b

SHA256
c77dad4832f97be12ea104d6257c02e40292df38aebeb09df51d1f2037e0d68c

SHA512
a73c35b0e78a0a78daade56ae7a74bb984a81afb1f6528edfb3d4369d7daee1d459c51c33ba94c7c6f76726170212524e60da293570cf1b05deb0ad03da604af

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a57e00e7b64144dba402c6db0f7ad149

SHA1
51a33fa8f038784838ba3a6c0fd16cfccf49de55

SHA256
26345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2

SHA512
a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eff7bc12d4ccdd95c8f299344a8e8e1d

SHA1
60e25d6c0b4a8ea7e1ebc7f0efa33e634a4927c4

SHA256
b92680291f9030300a6768380794b15662e83d58f7d8cf846799d2723722c798

SHA512
9e0214fdd2cd5f0813012780008acdcc4cabbd00811aef1b88e6feac4573dbfb4a24730b338935bcb709e316e8e49f704e6f067996aa1ca19f10738197a57c40

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1bb4c1dee2e36b3fd483016e96d51e5d

SHA1
0736e4d40738a45aef18fab0d2300a03e9d6d0db

SHA256
c1541cf7fa1c04612c39375a09aa0652d03ed6c7b5bf7bcf040fc281b2300c13

SHA512
e9a1da9447f2197d934a82157a0300f34301c68e5018247256495bf024d3edcf4e56f066f89791cf592dd7ee6836b7aa5057ce0c3b26b4de10edfb8b2a5a44b9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ae0965d377aef5e61e17082274f65433

SHA1
d29480cf8711c9958e48925627caa9b8577a1eda

SHA256
be75a7211b8fb8f5db92ff80ff1ea122fb7821b463e0cfdf09bb71ba02921096

SHA512
b0ff6f3445dd7cb16f5e0374e0d2404c3c89befc565d47e0d3dbe5414edb7a5a68a88246d43cc8ce285a711ad37ea29b3d99edbf659bc2f997623ba2ca2e99d7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
0b84d97ecebcca66ac0ae85136f584d0

SHA1
d5859574bcf958678034f7405850894b6b05780f

SHA256
60ce0be29e9e2649f502b1c319ae04342cd8ba22afd96999cd2369fcccda319f

SHA512
1ecfbc6b4ff3631f879ea10f8eb79362fbc009148ef6d78ca95ccfcd6c5f2ef03a0d0ccb32698082116b1f4054ca9e212e0b27deca107bad99456ce470934d6a

Download Submit
memory/656-147-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/656-142-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/656-238-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/656-231-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1608-119-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1608-130-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1608-135-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1608-120-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1608-137-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2088-73-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2088-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2088-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-79-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2088-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2088-234-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2088-101-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-97-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2124-198-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2124-266-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2584-169-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2584-248-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2584-162-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2840-261-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2840-179-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2840-188-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2964-178-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2964-93-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2964-87-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2964-86-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3032-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3032-262-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3032-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3504-240-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3504-250-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3504-310-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3812-95-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3812-25-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3812-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3812-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3960-100-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3960-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3960-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3960-193-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4468-140-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4468-54-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4468-46-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4468-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4640-203-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4640-219-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4640-279-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4652-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4652-34-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4652-8-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4652-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4652-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/5004-29-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-112-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/5004-30-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-16-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/5148-276-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5148-349-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5148-269-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5320-371-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5320-281-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5320-287-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5320-363-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5472-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5472-302-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5472-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5472-307-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5616-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5616-319-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/5712-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5712-345-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5964-359-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5964-352-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6068-373-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/6068-365-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download