3a1d7031758eaae95384039543ad5b32ab0c129608de2e56df233599e3ecd0b0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
Size

5.5MB
MD5

951d667c47b869f4dddf21a7e27750c7
SHA1

102afbf092e9e20748fcfd4cf0008e8e3a813b30
SHA256

3a1d7031758eaae95384039543ad5b32ab0c129608de2e56df233599e3ecd0b0
SHA512

f521f84317a33d74482265b3eec63591e3cf724faaa1557df555383067589f0672bdc4266cba97cb5102b090def8009e85f904025670457ac8c7434830bddfac
SSDEEP

49152:8EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfy:KAI5pAdVJn9tbnR1VgBVmC11wlNQ1ya

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1688	alg.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1308	fxssvc.exe
372	elevation_service.exe
2980	elevation_service.exe
3968	maintenanceservice.exe
4812	msdtc.exe
4004	OSE.EXE
2712	PerceptionSimulationService.exe
1980	perfhost.exe
1156	locator.exe
4940	SensorDataService.exe
4592	snmptrap.exe
2372	spectrum.exe
2016	ssh-agent.exe
2228	TieringEngineService.exe
4924	AgentService.exe
808	vds.exe
1944	vssvc.exe
5164	wbengine.exe
5248	WmiApSrv.exe
5340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1dda00578ed1090.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000938e2bd0188da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ccc12bd0188da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff56fdbc0188da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000748f36bd0188da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052f7aebc0188da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568679954330193"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096711bbe0188da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
2420	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
1396	DiagnosticsHub.StandardCollector.Service.exe
4656	chrome.exe
4656	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	976	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
Token: SeAuditPrivilege	1308	fxssvc.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeRestorePrivilege	2228	TieringEngineService.exe
Token: SeManageVolumePrivilege	2228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4924	AgentService.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeBackupPrivilege	1944	vssvc.exe
Token: SeRestorePrivilege	1944	vssvc.exe
Token: SeAuditPrivilege	1944	vssvc.exe
Token: SeBackupPrivilege	5164	wbengine.exe
Token: SeRestorePrivilege	5164	wbengine.exe
Token: SeSecurityPrivilege	5164	wbengine.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: 33	5340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5340	SearchIndexer.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 2420	976	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe	86
PID 976 wrote to memory of 2420	976	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe	86
PID 976 wrote to memory of 5036	976	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe	88
PID 976 wrote to memory of 5036	976	2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe	88
PID 5036 wrote to memory of 2356	5036	chrome.exe	89
PID 5036 wrote to memory of 2356	5036	chrome.exe	89
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 620	5036	chrome.exe	95
PID 5036 wrote to memory of 1084	5036	chrome.exe	96
PID 5036 wrote to memory of 1084	5036	chrome.exe	96
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98
PID 5036 wrote to memory of 1340	5036	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-06_951d667c47b869f4dddf21a7e27750c7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x254,0x24c,0x2ec,0x284,0x2e0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c6bf9758,0x7ff8c6bf9768,0x7ff8c6bf9778
    3⤵
    PID:2356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:2
    3⤵
    PID:620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:1340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:1
    3⤵
    PID:4032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:1
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:3304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:4944
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:896
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ef057688,0x7ff7ef057698,0x7ff7ef0576a8
      4⤵
      PID:5444
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5496
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ef057688,0x7ff7ef057698,0x7ff7ef0576a8
        5⤵
        
        PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5220 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:8
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3576 --field-trial-handle=1880,i,1603374818886067458,15495494920764533826,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4180

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4940

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7e3821c8d112a2e6b083264f6cf7daa2

SHA1
f1f3c995087f0546e654f0c179262433c3e09709

SHA256
e3881dfdee3cc381bd3a95a5bb283ef8ad7e3511c73bf6a7673c330dfe6719d3

SHA512
579a5afd3de3f00d5cacdcd15c206dedb3df687bd47ecc180f610a61310cc79eb67ae0e9c77c514042b725ef42550a47746e746f9c725bbad86c26ce9b90f7bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
cc9ae6e706e4b851fcb389202b833632

SHA1
facf2fbcc3415a0aa562d757dd8c319ec113c698

SHA256
d0f6b34c0e227e78ff6b5265ea8311acca17908786dfdef828bbd35229c00b49

SHA512
c367aeae79fa8284704d6932cd061858f9a5c96e66f5a9de0b6de9dcd652d8f2999f03624ecd5a4469bed62838bb16dd4a42d14616d4207b61c8283b413c8ee2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
98973506cdbf9e5e0fcb18f74b2272db

SHA1
639705b410ec5efa3f44a6da7a01bf5ef6de4d68

SHA256
7a2c00d6b8b0560783fe58c71f6ba86a2d5f3e0b01bc4a8d0ebef1b68b1af2e2

SHA512
306edf0c4adecc7f38c84ad971e447f865bf1edb2da77adf9ef462aca529293406d5100df69dbedede75a25ee944c215a994a754a9f3214e52734206366578e8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
251f3130fd6fe7a171ab436640c62e0a

SHA1
83f5021b789db4a7912987532913b6ce2dd38ded

SHA256
9fddcd24efba988d11bdeacc48b3ab2451e90632462b94b14306886477abc395

SHA512
096868a8e3484324929d6c10fcef3c4fe1281569f6b448a99d8e92f8bbc8cb42976e866b847e726fee2886957c5deb6ef898d4b73b2e1fe956d55dbfaff0894c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9a1794593b301b23fc696e15adeb0e7b

SHA1
19b2a0afaccc9f843dfe1274ed43f20cdcf376df

SHA256
ced6aba79b36fbd9424033063beea3beb159f1cbdaa6b3390b186f138ce65f07

SHA512
27ecc36b7d25053017bde95c52a475f063b7e39bfa694fa8a9656fcaad2eb5495ed5f5db0b00ef151d18f077807900a136ecd337f25eb3fb8c9dd8dc355b4093

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
00ff8b3eb54df09e5bb00a3ee5991c0f

SHA1
887ede0901fa81a71af2ab8e2d31ecbebf12c698

SHA256
28f4b564a35a855a823c9cee5e12315df27e8ac90c308b9334b26dd5b00c3b04

SHA512
c76047e497c5c4dcf0850e4d76810d77f9a71c0bbeecf75e161b8cd58b2124a5b4263a89b3c9736ca9cf4826889d7a6fc36f73978e9ca4dd3b6195eec90ae5b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a65697717a9bf8bb53a2e1a76ccc50f8

SHA1
9dec046097611049338868a99ee6e7cd93206d3e

SHA256
eac7a3b41f6680740d282864d622f192eaef5c5199d49803630c8966373eb83c

SHA512
f06e5c74d494078ff77e2cfb357a3712619f15b41f5366641b53e6fbf80d1bc99ae13961880af6f3c4af6d41185676246b5f1d11ff2ebed64c849422a0272e2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b85bc84bb9c8f6252c642e0f0adabb47

SHA1
f8f4115e163ea58df28966ce2df0f30e4865cafd

SHA256
c22170c28f3d56413691301dfc1763cb4ef76c1f0c68b0bb02253e8bdaadff43

SHA512
60f8083be0686ef88ae04ab066e7d2a4e6afc1aebb34e7cf4466393a14d9ecb7d383bdebe39365626c90059a18e9899a5c9be1e0876d801d9456d6e5bb1bfa67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4e0affe121d8ae64e8cbe6cd5de7188a

SHA1
81db4019fd6426962c71e171bee03d8c411b3f3d

SHA256
846f937681ba5f58e51c41e2821b63f506766e35506d723213d46420c68e2fac

SHA512
bbbd39f801ed49b3ab11d320929df6a132c4efdcf736edb866704c5318b399121d72a50e13430d42e9f2bf61e972981b6c1ef2d1850d207cc50350e039870dc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de862cd8963a8d71e112ca6b76c7b7bd

SHA1
c4f017d707d20bb193c324be541bfc0919d7aa0f

SHA256
2184318c5d981644adc8ff5da78886639eaf090cac7833bd5d68dc5d6a9c5e12

SHA512
8d3af83be7f5b1a51da8c0679ef79565a0f3035895218e457cf51b377f105515ab03e80e5f1ca61bc65c5b285f82ae06da64d34b826db647505177dd8bfe2d94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9f4b5c31a84b6985da37ea2dd1d6fd43

SHA1
e25b911cb7cec31f679d61a7febcfbb3189812ad

SHA256
a5dc03d00ef4e494d391b7c22ac34563582b5be65719985e9969792daace115a

SHA512
08703038bae7d690d9fbd624b081e2ce1f0872163c0c4995aeaa037415c6010ce7a5c38db65e11a252a4df0455ae68377845e6067e5ca18d474b67c23de52ae0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3cdbea833da594bfe112a89d84d15637

SHA1
9b4098c4ce178255d2d0d2be4719795b54dbda70

SHA256
d3ed61f48630e890046a5e1d62a32f8ed7964a1084f5aaf0108e00cf2751ff71

SHA512
78f44608ca6922ddc4681e430b2603fabaed4e961a8c6ad2f4c236c1ab293d0f7a175aaf1b8016b6155649100a55aaf17112195682963cc810788de4c530a8ab

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f7d76143137922d5b5af52642225bf74

SHA1
e2689f59ce0e6592efdccfbd7c7fdf0db7164132

SHA256
b384d101ae109f1478d3391f46a0d40c39bd463b849739ee17c4f9faca2c79f0

SHA512
10b69e4bb2ddae3a72f5edd148228736191e77a2bfe407f84d45a80717c645aad6d75f2e7cc0c64ceae1a1a4e1ece12722de5cf826777382327858032e32d905

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6fb2599e90a1f02df2be5985e399e73a

SHA1
cafe6e2b1125f62af0ee3539beeec979973109c0

SHA256
09daca62b0d87535e75f822ae186c6ac559d21db8fb0ae2969344ed60d4e69ec

SHA512
1d83cea88a414839d240d60fcb90e62855fd582a5b9574cd7d4b7d6807dd0e74f14b3d4f9a7acd960acb11391eecfdd39aecfc5d7ae526a109f509b73f99af1c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
75c12d49fa34dd8ed69a9e0a28e5657c

SHA1
3c519077ef8f815eb2414177acd873bb793e26b0

SHA256
4c8c78bf25edbf18c411e011ac7483f66ce77d89e4a997a9fb547d508c0aa0fd

SHA512
482fb07de495798524407df36aa221731c1cb4d8aa8e9cbf8f2f88e886534312f4d6d83056c73258bc749de817e8f0df5e75f2f1f37395705c0ae3d53ba46bed

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
14bd1a0f0b27dcb95285eae81b610889

SHA1
253d0b49ed136582667155ed1c57fcf0527c39ed

SHA256
23b00ad6544aa0afaaabb352dfec9224c76e1d81f4c3fc88bcbd901097fcf24f

SHA512
df872e7a0ca1af3e25bfc65a8d0630992340d5f06d6de4910f917d1b8acf614ed6332411806cf13218e00477e99451c429118e7b2f2cc7fdec4e1bbc2216cc23

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
464f3de38241c82a43756900ea5c64b2

SHA1
d6520f21584b1d2ea2a9054c5c0f91d9d2bb653b

SHA256
21f708311bb27216dbea3d33423f0a2ffd4f14e3beca28416cb61fa91d7b1405

SHA512
c8d13ea44c9d3ae930d55cf0e8f07e41edd9b853b50ecc96b4cde3203b7a66e1f7997bebf71b7eea91fc9febd17ca0da1a630178426d61ce08e52c2ba2f7cc2f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
be34d9233f6e33b1a62d8317c443cc2d

SHA1
1e3b603f4ab9dd40c3ba96b68a898941510cf8f6

SHA256
cdfc54f23f10c2bfd55b9bc3773bffee18a1ebce811498744c2a3cd04a6eb2bc

SHA512
7c58e51d07dbd8f621af0908401fd186446681f0bbac373dd68734ebc3441bf3de1421284019dd8b721318801b8dd8e4f90c85fc6aff6f65bf070856cedb65b4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ab547ed0-d524-4c38-a44d-6bd7ca5e293e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ec52c0bd9c1ad33438f1cf8318c1f670

SHA1
bb6df49681ee41872112fb0d36b95677ea0aa18c

SHA256
144fabf17fcece7f8a17f6f9f05e115af5955ecfe1fea8098b848f439ff1b3e2

SHA512
2ea994e00d2c3ae8ce611009eb61b889e6eebb5015b7a967a1d2ba05a9aca9007e7e4f2e8f0df7ea10782da8619255db3ad89b07f8db1eccf6f04a9799fa1a87

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
dd08b6f572e0cade32eaefea23cb60ca

SHA1
6bfd27c9a6675f31940926c088225f92d6c0e0a8

SHA256
8d111760455ddee7d072c550cee313176e9672728d26f700e2f64bf5e969336a

SHA512
23c2b0530c183016166f4766dc3caaa4c5f2f5f0cabbe911ab3b78257ce67d3fde8cbc959348743365852d94633508f7d8b24b2473d8876d67a25478d107af97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3d57b062-5095-4617-8a3e-dfb762f96381.tmp

Filesize
245KB

MD5
c8d5c43413c066aebf8f755dcf7c1fac

SHA1
1612bb0871cbbdddc80208295ab2351b7ea7801c

SHA256
7f674b4f83506f43f7994faca19cb7ca9bbac235a33969ad2a372c47fc79ac10

SHA512
f0d9670b9b1216d65ad61b2ccb65d3209f8541e19c50ea394f001bbce63420e0318985611ec9ca84097263fce9a6e39039a323ef8b105b175ca1ca3735fcef82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bc16ebe41a9fc2938c4060992a92b0af

SHA1
1719af3e339b187d984a76437eb80cae5dc50e6f

SHA256
5874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae

SHA512
c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9bb5ec0229aafee4a41313febb3257ef

SHA1
44face5067f422270fa412ebe570689de71b2d3a

SHA256
c19a4621733057a63b50072d06333908dbf3d0d1f207e4bfda44daff16e8f1ba

SHA512
ab1a3af3dd3d252277eb853ec07ac82c337678a74a16f2510c770736cd37b60f50062c7b5ab34f83d74842b42ceb36e6dd4f634ede7909113ffbb6c021300bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
593167d184f4b87c23e22b88b6784af2

SHA1
c2af08c576d69683f5e79a6869e0f621adfb0ebb

SHA256
487d145f593d61196b8a9eaa02efd5b24a5af40ed89bc60e013453a993e05dc6

SHA512
6fdc48ce31dac24a2d7fa79c8299f44b1751cbbdf45ef0385976c0bd13598db77d574972f5acae71b42ea80e1ea855d45a9804cc0a247fa0409349a2e4059447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
277878519c97c250153c0e930f9b1ada

SHA1
776c0de402e961488069d5df8d4f5764314b005e

SHA256
9d1239e303108004aa52793d98e1c792b2b386c5fd6aef0c22c2cf5e967aa0a8

SHA512
0c3a0a2289ab3c16024899a9f830dfc038ba941ac9ba53fdb2ea3bc0a748629d7c348269c4a9aa7940f40adc07221a61fd3cf16d0c1e6a726a29fecb5360dd05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e8bc625448225a337b5d115704b70da1

SHA1
3a46182fc181b462a2049841ed96ca6463bb8430

SHA256
7fa093ad9be3e155e1d58a5084ddac01f985b80e1aaac28e3d63deac62f88d2b

SHA512
4a4f972411fe5dbb368afd248df4deb7ca4cb61225a346974fd717857d1d4a56882f442e7c2efcc7349f874ef30f71cf0e162b29234cd877707a4e5e37594417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
36de253aea3b477e5f8a06707280b2c3

SHA1
40581a4bcd8e16b1f1a438d82edb7cdb458f1170

SHA256
1501e7095fe54cde3b231ef3b22e61cd5e066b6ad3ffd01e8484e73865f035e2

SHA512
2b5200ac621e50f353eecf10c650ea9ba20488feb07c397a7bfd9a7c853a3ffa79cbbc462ad60c279845b5afda660a242bbc22e5085e2f51ea92fd9f2fd7e88a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577445.TMP

Filesize
2KB

MD5
3edecd18ee6edb84a0c5cc2869b57cd2

SHA1
e291fe43a956ab29cd103e3cf39aec8a516938a2

SHA256
74396febec16fd8df1e991beca98541a5417c26fbc44246bd978e98ea81dc3b6

SHA512
30815ff00dbcef7d4b474b51c78c9d9be8ef9145e4dd6fcd8d89076a59e79c01441c62e761a91e13f9b2c03399badffb5717023fb70f6106a6ecbc943a3a576a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a581c38070e44b2f898b0af80eaf8255

SHA1
b9f2062ee5420333cc79469c4ea12a8eb7903ef2

SHA256
c48b7b97de9f2d45a687dc17a7eff803294c049e86ef28c72bf918ab78ccd3fb

SHA512
f3adb6f68aaf71c36620cba3b4c6336b025d10ddeb5fcd2151dedeee1837a7f582e9178e05b94f978c7e8d11adf8a2ad70de35ab884c24ed684ec6e1f0dc6af0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6bfc8dc55209a02fc394a21b8be13b69

SHA1
8387d644ae0fd2bfd1ed17e861f071d644093d9e

SHA256
d286735d06305ff410ec0d854ca0bb8a5adb9c0cce1b848d53dba14b513b17a3

SHA512
f6dd7fedcaf0ce08ddf1a41e271637f003403176d31a3376f9ba03b0d5f7ff4b41b88607ef01634c02e1f2796c6fa6bcf1343a9dfd7a1037686cdfee73640f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
126fdead4352de92f0e633758f79a9a5

SHA1
330904026fe7bd0f4a81d34b12d16bd463db4efe

SHA256
a253fb63422ffc2e6d6e2e9259546105330a69c0af844c686069f80181339f35

SHA512
c7e87edd9a4fb536c588b8559f5300dd84a7c13abe3e1b6d3589fbf34af1bd775a2de10a35f6dc67c7b49755ab9919c9c8224ffc96c7a1407f066c8ce0004925

Download Submit
C:\Users\Admin\AppData\Roaming\1dda00578ed1090.bin

Filesize
12KB

MD5
b7908635e9b40bbcf97a4472e5f3f01c

SHA1
cc5a41a03cfe616bd6d9118d0c1fc86b9817645a

SHA256
f6a5cd2c6612e3d9db36f5c97b52c738a805b80b636770a30124c62de6e84718

SHA512
1d9b5a253426ecf506f8578e987a1d88a4b46f866c34f9ba654a10df54cddd6990bbcd0047c3cf989b95ab284af3f1ab5af6585e83698dd442964886f7a131eb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a2114958a7c495bffce997df9264baa9

SHA1
83d31fc49a02180efaffe49c2cf7fbef66614eca

SHA256
6722be79a0993fc2fce4d380653a3ccdda13bb4737fb0ec77e1b2ea0b40fff52

SHA512
4d06e1acf47cb4e1cbb456402cc7093665e8d014a2ede292d2331c19bd7c85aedddd77acb29feae9451a3c9d3912fe933ec54246960da2b40b2a9c67235a6496

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a1724ffa764df1fa05dd0f99ab8fc55b

SHA1
a8edcb2e536adf7b0b2d091a10e1c4eee9255142

SHA256
39f4daecb0d19e759ad67682fa1da6b049e5a7d6dc55c1754ffb761c69882c5e

SHA512
f42dcc31282e071346afe803dc9204908a494abc7095f112387a197762f03ee78323b67e24a49f519e086a44547b741dd894723ae5755f71f77c3f8bd4ef9c07

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
385600609e63121b59ad0a292583a807

SHA1
6537fae801a1da8f81c888d57d741830fcb0298d

SHA256
566be2af7ab0ef7cd829cd14b47cdc53c887aa60c89cd1253c809f108f92404e

SHA512
aecc76b5ede47998ef3d63fffb6612beecad970c7175176d0995de58f173b7acfaae120b7aeeae15229ce014ffd5616a93456f0a9bc6b75cf06458990e343c69

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
49c0a1619d6d1c8429ded9e02bcbcb14

SHA1
66778e995380fbd06e139be164bf0fa537eff915

SHA256
0f06356b844d11251d8a10dd4a26389e9d4e10bb68b5ca4530f11dbb5e16fbed

SHA512
ce6d6fd0ac37a57dff6a87e75f56b55283f3b22d81ca2837560c7067e109b46537420a7b297ecb4260c7661759fcf2dc0f4e52fdf7edda70d420b4240d705b64

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ecca8c0bdac1c2c918823e6a05b2ebb3

SHA1
434d8d8a8353c854ee6be03b3eba846e1a6f6d2d

SHA256
da672ac5aa5258c0f0564fbc0d637755d1e54f3faec32d8fd5ba66008180027d

SHA512
cee840fdf8864793384bafef3ca5410e19117ceee3ebb5340fd4c33c442531b77df1c60b82209fe5627d8d0eb64332ae2ff7eaefcbe21a3625785eed3d49b48f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
750d106f1e89a77ca207b73e3ed68c79

SHA1
f4752db3c5b4575b65a7085967e62daf8fe69f8a

SHA256
e6ed15d2ee7311a4e1d4261baa91431f04080860d34cc894b150938e98a9f1f3

SHA512
bfa4321f3b9afa79a822bfcb96db188583dc6c3be3277931810cd13020844c06c28cd4b18f2445bec24a0463812796055285e859983385884a6c6d08d6b65a40

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3d664d15ccfa8990b3a7dc60138229d4

SHA1
b9690d417bb48449b6ca8d3c474d86bf16437c85

SHA256
119512e968eff605cc1d7035ab7ff72eb8b423dba2a2228ac18dd79325b2bb95

SHA512
26c1bd6aeb0e9813a103f8a751939fe0904178d3b1f1edbe00680bdad826f1791749e7e18bfc827786c0d63cb89e6c049c784aa540cac2873a1cb71d3d52602c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cf88e2773ae8374c12aa0e1b34472782

SHA1
b5b9269ee3120fdf8ab1cbb733372d0f70858603

SHA256
4b4724df4009ad629fac2a537dd1c4fb49af292651f074661ebc33f19a63d7b7

SHA512
91c8ea5f8de5d3448173ba5c37ba10e40fe931192072bea04b909b0c0162b5acada4a9b369af2ad736f14497c27e0d8a7be0a5e0c923c0f2034bcc00ec47dfd4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8fa6a2daa90b040f1ac631dd6d1a8e35

SHA1
64f7dd857fc83beb56f59503fe90ffb89e202758

SHA256
499b9e850764de63f6cfe3a32cfb116a22488c12821d6f8d1c180f2294622f0c

SHA512
75dffa984a82f1218c61a2a94422c14421798973c8376ed10439db3af35ebc9d5f41a19f1b47df7bec24557c7b96d8c4711615a8ff77e76a829467e745efb4f8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cd3ff4524321f1cf7c99410f2e1f47a1

SHA1
0c0ef014b8370290753a6f83af6e3ce9e1ba922c

SHA256
68d91b6f3321997dfbd18cee2a390431e78b083e89ced6c95d7e7664d48561a5

SHA512
357fac7a4f42dc8b3519261c2bc488e7b3f4e2378bf0315f15cb200adf1701ed155ffce0654a8a32d2eb4ad8df53a74e1c82ab60c7fe9d48a7503697211fb88c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
267cda9e4ddb4ff61d51ca5e9773fda6

SHA1
d9c950198663b37971a4fd61017023993eb638bd

SHA256
17bcd2aecc378827d7838154265bbe2e88c48f37c1021cade27d558776355801

SHA512
d447a2ceb6354c18a2b6b4765ab84139cc63e1e1a75c8d193c1f252a72b94b06c3c92d9e43d1d8ad491a579d768a084fd05fc6869c55d667f4574a47beeb40b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3510b3dcd49b7cfa8ff8d05461291777

SHA1
6453874ac3501eacc02923039d79588cc1884b7e

SHA256
9960a4699051d8ccff18c421282f955b997ca1925a3cb38b5e8e2bd0dc42821d

SHA512
fdeeed57094bd7b45c8d844a7eed35308ca536886f0ae5661062232ec00ece01dedf0f6d6fe5f3701933013ec9b9cf7abfc9ce3bac6b9b6a395b0b7fad59a120

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3be5d118a417c089677cd5be896df654

SHA1
79367d04bfac6cbb2ee2efc33cd5425c9818cc3b

SHA256
ed6b45ddfd29b0f1cbbc4ad73c25dd298ae06bb65533091387eb8bdaf7e7d2cc

SHA512
e0645adb6bfd3e8433cdf022b5ef76401827b39378cca4491469aa57e12e5c7aa7b3cc1309e9497f5451aa36328af500f575e40985e27100960276c9062e5a4e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f3d27b96c0d0e7f5824145b92cee5df2

SHA1
acedea26f21228d9c008957645ab86d82d4bb4a6

SHA256
f1e447de572798484bdd7b08ca1ba6e5600dbe6215bc1c85444cd912c9abc6bf

SHA512
2b28b50c1f8ec235493dad47edc92ee1b6d8bee9c8bf11eb5bf841a47f7507812bc5f12a6b4f1b71a7f918ace09a80ee6e15fed578cb29a82bd538335d6f4fb5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8a6e3c88dceb3150fe04ec6d069972db

SHA1
8c3d09715288a5d7b3d942583edf3df2a3259242

SHA256
51066f5eefcd7dafee0d75953bc7101ca9bb444ffec190d7ef4c30e45b3e3978

SHA512
855f1922e9e3d4a29ac0fd493d284c59c5d39fa8fb7f79c1b8375808fd77d644661ebb34a478135e69f71c8275216d704234ab016c29f895b52d07ef79c7c598

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df378994ffc530105ab79441ee21af5d

SHA1
f44ea5f53711a5ce23c9c112f7b3ca7c0536d239

SHA256
810a377b92930fa9453101fd70b01737d61fd95810117fd69af65ddd1b48fd8c

SHA512
77aec3829300f863c91d9cf2327fff776fe07f5018595f6e172511137aedb8c31438aa852719b477a514b7613c6b3390c23eb742dff0a1d345c114c45ae64726

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
69ac3ff7a1abaaee55da1d5ad83c9250

SHA1
eaed1f0a3efd61afa7af2187f34e1112577d24bf

SHA256
206aac56704221ea9155ae159a92a895728f5314fec1d7da488b026d7122e9c5

SHA512
cdef98baf58731df2805832c4696bfef4966aaa041b14b286077037cf790b57d6369b08494f7da257e891b54f8784ba93819f8387a912e786bb63cc40f9b6bc0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5e2d864410956ba21ea702a0d424f386

SHA1
faeb78757b8696832f2e5e1b7af16197b11120c2

SHA256
bd8163cf0f11b12a696cb235fa002c0d601b24eb32d1b9d715bba1fc30b8904f

SHA512
0c02ced64ac004b83f8e8b1280faba62e705ab7704755c034efb6d96ea23a912acbe7c667f34555b8bb156fc2e17f7c5325e54f3f69b5759d0d3f1bc706c590f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
bb84eab408b76ba9a3fce9253f03fc64

SHA1
56bb35588825f6f31498bcf1b30cadf778ffa8a9

SHA256
790a9ce3e7c7ce0f7c79cae2be69cdcf54288ce0f1867ac750c7c7057b5a5b56

SHA512
98582734192b7a4af9d879d5bf939071bed70bd8fa7f23439223fc067c3c8a9675903db2b2833ee74cc6b7fadbb0511faa8e7179c7293a407e65e6f7888b6258

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1ac5c8500f6fbabab9b0516d22f8e2ef

SHA1
6c5caaa5e2e47cb5220ea6321184a5a398a9d021

SHA256
469e6d2e3ecb969e38c926fcaa7785e4d65bfdba12882076f8835d5aaf3a90c3

SHA512
f02c16e392dc457b45799b81ace8fa440bc04c7d60959365471481cc2dcd9bb90a6ed637ecfdf5cab3c54d820dcf29219d8f0fef622e677e620af362962c2e99

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d9a7dfe268d83af5699802b16bc9a2d2

SHA1
d4a21596dab5bbe403451d35fef5084737410c7c

SHA256
82bb803559533243e2de082e68b8c0d80f34a5714407a2b7faeaeb785f988325

SHA512
961fa7f7dbbdd4f753e2d49ed9977cc67245e411578d1660d7741571d6f38709bb1764041a172de3ad228b51b9c99a8333a3873af841b817846161c21ba28abd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9fd8a8c93535358dc2181a415f0d52e4

SHA1
289d31f088864555173ae630d853ce2af69c2a81

SHA256
537e55bb8236d9cedcd208b8ea34caed758d6f2f776e916b2432def80ed1c94e

SHA512
245f2d275b20098920227abfcdecb92b26ba042e52fb52c2e62c8a4bb11cc7d6f9d567db4795444bb77dcb0ab58597379b2496dc975c611ee457fc979572905b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
c36193dfc3046546172e52751cd42558

SHA1
72b40fa365e8565b0c9a7108b544698a9ad20fdf

SHA256
04f11f7252c1103298748b8a6fe886b9f6ab24c1ddcaf0d13e8723142cc1675f

SHA512
df62c6896a0cbb9d4a6eafcd78927b96e42928def5eae395f1e55a84d960e6351e929af67b12e4d27977a35666a9aaa322f5b86658dcbc9bb7035cd8d3d9f029

Download Submit
memory/372-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/372-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/372-98-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/372-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/808-208-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/808-475-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/976-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/976-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/976-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/976-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/976-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1156-164-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1156-217-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1308-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1308-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1396-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1396-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1396-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1396-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1688-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1688-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1944-218-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-484-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1980-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1980-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1980-159-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2016-197-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2016-451-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2016-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2228-201-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2228-460-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2372-230-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2372-183-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2372-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2420-13-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2420-17-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2420-22-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2420-111-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2712-143-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2712-133-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2712-195-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2712-132-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2980-157-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3968-97-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3968-83-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3968-84-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3968-105-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3968-107-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4004-181-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4004-116-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4004-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4004-128-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4592-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4592-225-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4812-114-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4924-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-221-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4940-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5164-223-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5164-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5248-227-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5248-517-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5340-231-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5340-530-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5632-461-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-533-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-529-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-527-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-496-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-483-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-482-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-478-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-473-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-462-0x0000020377FB0000-0x0000020377FB1000-memory.dmp

Filesize
4KB

Download
memory/5632-455-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-452-0x0000020377470000-0x0000020377480000-memory.dmp

Filesize
64KB

Download
memory/5632-454-0x0000020377FA0000-0x0000020377FB0000-memory.dmp

Filesize
64KB

Download