9dd6dd5331697a53f7f9f104ec124f52e250a995f5fa08712ac84f6553f2ecac

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
Size

5.5MB
MD5

0d558fdac6b405f59ed1d9e486fa6515
SHA1

b93ee79a8f3d2570d8097499919fe1fd86ca04e1
SHA256

9dd6dd5331697a53f7f9f104ec124f52e250a995f5fa08712ac84f6553f2ecac
SHA512

307f31eb037f89849136ddc753d8caf9b198e9253768b21806c79ff2ad82b65ddde806ee878b27f695dc1b7c2c1a74024627713f10e983a5f81e61de0cafde22
SSDEEP

49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf7:sAI5pAdVJn9tbnR1VgBVmxnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2976	alg.exe
3220	DiagnosticsHub.StandardCollector.Service.exe
3620	fxssvc.exe
2392	elevation_service.exe
4500	elevation_service.exe
2004	maintenanceservice.exe
4756	msdtc.exe
2084	OSE.EXE
1336	PerceptionSimulationService.exe
2948	perfhost.exe
4896	locator.exe
3248	SensorDataService.exe
3536	snmptrap.exe
920	spectrum.exe
1004	ssh-agent.exe
5268	TieringEngineService.exe
5380	AgentService.exe
5536	vds.exe
5780	vssvc.exe
5976	wbengine.exe
6080	WmiApSrv.exe
5132	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46779a4f46f975ab.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012c653164d8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003266b9174d8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271281164d8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b897e7164d8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a16351164d8bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e3988164d8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000514536174d8bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3628	chrome.exe
3628	chrome.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
5060	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
3772	chrome.exe
3772	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2140	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeAuditPrivilege	3620	fxssvc.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeRestorePrivilege	5268	TieringEngineService.exe
Token: SeManageVolumePrivilege	5268	TieringEngineService.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5380	AgentService.exe
Token: SeBackupPrivilege	5780	vssvc.exe
Token: SeRestorePrivilege	5780	vssvc.exe
Token: SeAuditPrivilege	5780	vssvc.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeBackupPrivilege	5976	wbengine.exe
Token: SeRestorePrivilege	5976	wbengine.exe
Token: SeSecurityPrivilege	5976	wbengine.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: 33	5132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5132	SearchIndexer.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe
Token: SeCreatePagefilePrivilege	3628	chrome.exe
Token: SeShutdownPrivilege	3628	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 5060	2140	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe	86
PID 2140 wrote to memory of 5060	2140	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe	86
PID 2140 wrote to memory of 3628	2140	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe	88
PID 2140 wrote to memory of 3628	2140	2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe	88
PID 3628 wrote to memory of 4228	3628	chrome.exe	89
PID 3628 wrote to memory of 4228	3628	chrome.exe	89
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 3044	3628	chrome.exe	92
PID 3628 wrote to memory of 1828	3628	chrome.exe	93
PID 3628 wrote to memory of 1828	3628	chrome.exe	93
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94
PID 3628 wrote to memory of 3612	3628	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2ac,0x2a0,0x2a4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd06d29758,0x7ffd06d29768,0x7ffd06d29778
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:2
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:3612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:1
    3⤵
    PID:3104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4644 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:1
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:4524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:3312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1596
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77eae7688,0x7ff77eae7698,0x7ff77eae76a8
      4⤵
      PID:5628
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5692
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77eae7688,0x7ff77eae7698,0x7ff77eae76a8
        5⤵
        
        PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:8
    3⤵
    PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5160

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6faf1846b1db09cee55b57cf1c28df07

SHA1
88f5da07d6a752558cd1522c74f7f57e39a09f46

SHA256
a435d159345141f878d8ea37a9d8b8195ea46cc21375f0c429fc34fd9b83f090

SHA512
0855c71d9951e1b1aec0779b26b1cb88dd03eba0f3cbdac398abc98d6955f6c616d431e869a5de4944becc3d529394508a5f35de3375ea4d14b8e631dbc8bb97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
334b4b30ba5f02a9f28931157dfc953b

SHA1
72e1a8534ddbd58e0eab6dc5071e1d8a1f5e965f

SHA256
3fba7902f651fa149c6d399d82c1097c06e6a61c81056899f0e1610808332854

SHA512
97a48f89d69158dfd79786e7e4f62165003e1371331ce27e0064d41f9ddb9b5a4666786b3e58423ff5802a94c9f958c89aba3434bd4fbe2a2e16324c7f661b4e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e91650cb89436127dad10b3920a97166

SHA1
3f5c2ad689c4176fed2bddcc4208b7ff7f1f13fe

SHA256
b715fb7a889df35be1daf59e2b97f592124dabc73fb2d882d4393ed4db209e1c

SHA512
01e0628e70b079126151c39ddbb515d12c632cb1cd14188addd81a0c33d5227aa7ceed5acb914d42253d34e0bb6d33dac7037b40f10c9535dbeb4af20bb9cebf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9ab8b7dcbcc8db2d402998d1d7da3f9e

SHA1
310fda6c651ea0b0e6dcb40344164ed45e0506f6

SHA256
40b072cfd02b156db38af1b0098744c1917b07a48c938985e4032f8df73c49c6

SHA512
4196c9f59d7e0cd0e59fb127711f3632531ea7c1f86b1d3c50d5341917da28c91ec71a5982fc5f4f56581b965b114675cef9ad7a74052b2224bd834521440e6f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e5eef44d81acd9cf892a6840eb414ee2

SHA1
1a4cc92d73cbfa9788bbd712ad84b71413171f34

SHA256
d38280fe749aa2ff2ea4b770fb93d947a04ef7b96e03f9d5afa4a3ce4dd35282

SHA512
e8a0085b06bc0d0555c1f612f8b5d685654de697f8bb1cc32b67960f7a31bbbe6a214b996772660157d968922c5aa6f3c1608638aa474b141e9fdb86a5354ee3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
beff7a59dca7fb7e2e0c0101d458676c

SHA1
d9c4a8cfe5c4b63c1abc8f8971ed94aec194918c

SHA256
5aad71e9f6247b1303661817d40ec33b808ea24591b9185ea13bdfdcac400a69

SHA512
40d9b0033290dc2b87c97a1d5a7f98a8f4935e1b38d01b3188f48a3f29b853ffc2698947bdf7458965c58a8f7ea64a8a81a1217264ba900ccf67dbc37804c8e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c5119d93a49057b0561bf051200b8ddb

SHA1
f24e367014ccdbbe946eac7e65cca01925aa7e35

SHA256
220fb79bf9c38a8c4610d06411c77ff1d3217d60ebd5dfc6e8812bc94ea9a95c

SHA512
82719a0a5f5b9ef43cd74ff910c0345385f52e9456bd7417d7b76b7c5396393d7f453867c126d35eddff1aed36e6a64e42d22403c3e0fdcefefdae91111c60e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
90f9277eef1badbd4cbc17f643b33c42

SHA1
33d809d98819aa7e1679ec0ca2c44a862b17c1a4

SHA256
d8731e62fa81edbc3e7d938667207cca1bd2a5cf1f968aa57d2e3f3b0e20e31a

SHA512
c0c53b86434624513a3397671a83d3d2585ca179f0da1e429067240e510ac757c7151da0e91c0b72646c54481e658d8cfed1fffef53f80cddc90ea948d3b6682

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9f5dfdbe099f0c70bc1a6bdcdf46e40a

SHA1
8255cb07971a01f59bab125e0305ba82479c7fef

SHA256
da8dca5f5e76e2545340319db07869295005a54eddc2487232c1d4444ac758ac

SHA512
6764a08d873c8ceefd273a5a3ebc6af97dd8bae0792e69d46714ac1a560e93544b5ddbf705936388fe27102a845664a198e535dc800912b3e295886ecaafac5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d07841b88d9ee04e144560e5fcd6c54c

SHA1
eb7f615179ba1407841fca407b0c5c8ac3d1f1c7

SHA256
0e95d6107ec9004e052dab26b8e52ff4ca8517b3f2eff8eb0bba186a60189250

SHA512
8c5f2d77a6d1d14ad1869e65d66c4ec85ffd72771ac3452cd1ed3337c34a085a618f3eaf39e4aca22d9201f4a5335f77c10caefa2eec9ba4f1f83e957ecb6ab0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ded31d7df383107d8f9e255fbad01448

SHA1
08feb1410839b6d3db06d8bfbab34f51b1c38f48

SHA256
294e5ef9c98589dbd6cc007ef88d48c519efde2f0079bb48c708219e581fa05e

SHA512
52cfbb74de19f844c35b55c910597cdafcd31df80482eaab3c3779444de93ab22cb43080747640d82c2161fd9737c32ff6fcc3b88f27c20a23d2fcff775ab783

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a59bcc71cc2585639a00c5ea62d29e13

SHA1
57d22f0dbc2000afcb308b30e9059bad7c93a03b

SHA256
25c1d5e4fb9928edfcaccee2f7b566f8d520c4a5aa3ac0f2dbd222f606152f84

SHA512
054a7bd094143376a3d077ac40dffdd0b60303ea6c2003534271241dd27349a56452a6312bbffcd5fac2206995cb20104e76caf8fd935b7637c7da8fa0385003

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
43d5af3d31856c403e25316bbcb06507

SHA1
53f3657bc99288a84844e9d25b3603a8fd4aff55

SHA256
f49de82836fde792d0b780c0c9fc23dde052d3699b960ffe4fb751a72fe78b48

SHA512
15bbc63c518f10f9ca5701f34fcbdb4796d0e0970a78f118039f63fc94dc074151c9cfd323113476fce417baf64d3e40ff0f14624127d4860bab35d5c6e17548

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9a1b6495104045a3e788571d37bbc2fa

SHA1
80ea6abffc02e224b18d44d3dbcdd1fe8c3f07d2

SHA256
21d69f7f69b6290f57bda4e849d5583ff967f8986bcdae209dd36a7d9d8d8224

SHA512
63452e9823b528855550c52c82ff90929040ac40c9dd09abb89c506670d8d79a150c3e2714e7c31e4839de1cb636a3e7ad825189116c9ac2035c129724b636c3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1f5a6d3236504fae72ccf837e9eb459d

SHA1
2056a2b157db11364509a8131872f5ab5b8637e5

SHA256
93f0441f31c45a48f91ff4733c624039d268dc4c79578e2083ba6b0275378287

SHA512
d0b87d2983d811fe7df787cb6abbccf0cfb53c9d26ec0d4da4770a0fd0fd4a1eb1d04aa20df45c783354f938c4522e7a64fd9d02d811c592828acf53e7a6fcf4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
437df2479bc074555271c5d3f5bba26a

SHA1
c7681329ce21bd6156d8155eefff2946d23e6904

SHA256
f843567439c13095d33f475ca0ca27f0e9181339a192a89b71b413f86c84ef1a

SHA512
42d2ff9a4523b58fb14d21555ec2ad0fbcaab818822bf0941cb0ee5ae0c7f491861162da8d39300bd5a6c5be59a69a1892d3a7e2f6c4dff82ace908ee31e4b9e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
50c441492940d13b7914099343ca4216

SHA1
0312282ec2b7de308adc30b55a0e2793498c1704

SHA256
b58f76284c10aa7b05a81468f58ed4c28c9dddc79e6f86d49cb423954136a647

SHA512
64a10b4a3082b63c247424a92f65ae97129f87469f9b4b9b1e7ca36de6b23bcda5652181da1fcde1dea723350995ef1020c1bdc69463e4d2bee774f96b6d8a1a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ba3dd89dcb302975ddb753f301fcf75b

SHA1
b439cddfae2696df41ae52bb6f66b61e568311ef

SHA256
d88f214533e9afda92b9e7f90ae9108be6e4e206d80f10608d6df8d6043b7a34

SHA512
de95e56ea084bcf8edd7dbe1c5ceddc7c7051805ebedf650f7ec4f7071fc0e0d1a3792c728ca08e2606587b8c7463020a657b0d16ed498c510fad2be1539e59b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240410134330.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2461b72b918841a4e825414f6e682ad5

SHA1
a56dda68182e9bdc930dfc04ac288791c43867ac

SHA256
a1bf1f4fa8f54326b30cb57d04187018c151645b254eee752346d616f2bd9d1d

SHA512
60cdf6b3d19da4e297d2d8f2569e7f77c9db281a3fb2487a511670514df8e2b1a1fdf03d08e6156ae755307c432a0c146beb02f8eda9317092b1f4865f4b4bb1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
3c00153d050ed44227f7a27fc11d2eaa

SHA1
5addd514aedbab772f2b61177f1baad4b73f2fa7

SHA256
550a41558839139a8a70d1358408946ca379cb9aa9ce4fa17d8872409b04f1ae

SHA512
90e5814a96fd7eefcc0b14db253babc57316b4270c3b6ec01183d91ddb3029caa2dff06f539b03fbbc061c0f2fd3dd7f2ed72a500805aa755ed55064cbf71aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1a7cdcf21794595155d9daf1ec65d8da

SHA1
40352477e8e67dcd08926c4d5904886a59ca052d

SHA256
ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3

SHA512
3e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a59a661c519497289d86eaaa6d961e96

SHA1
a0b91cc52cef1118e28fe113756d1658fb6c8b84

SHA256
f3e9bc1c8cf1b908e319233f5c0ebb0b2c78c86d57965634f4046c808807d06e

SHA512
aee40ec822e8117ca1d05e46695b7accbe3d14b357f2696607c6d5f19c783fef50b7ee2d068f1cdd9279b2ba932af587ad8aafc1c0972625a9b6cb3ceeef8a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ae8af98b1f887dc658cd213ecfa0cbfd

SHA1
f37dd8fc6171b1c43a8b3cf8db08cb1a2853a92f

SHA256
da550ad5e842413076592c6d5da280a6f8a81ed06b26ae644f6330470ba7152f

SHA512
daed3ec46a58d960542e55e58911b087d221636e0efe87aa22c3375d382d58b87de7438077d3e18acb7836ba501ebff82b78bdec4e8e80d300df6507a6766793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b34393a88d44cb10463fedb998808751

SHA1
c70412743fc45534f0b902ac6568e9a056df6391

SHA256
eb36a2b4cb1ca50637732b4a50e7f01bfb987bc864bb7c7bbc373e9cac04e056

SHA512
c99367eaf8b2507676d535440dc235a6c3e37d07ee6cf60cfec4d97ba3665e5916d0e266a34e9f7d8d59f4b1d10dcb85d80ce05258f8b9025731834a1a2bb152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1d3834d92c4be1255c021375bc6bc13b

SHA1
66dcb250d4b9633740597adf19a0202e8f456560

SHA256
2ce2ae0e559665992973a805445432b7d43a0ca473f1d922e9bd84ada958f2ca

SHA512
ca66df261fbb078416152e8c828a323927c1a14e30e4c883aa63b92b3b08d7fe003713c5b53ec9caf51ecb8684fe4b7808a53dd146f0a2238f8bcfdb88b43749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
001b68c6a577e6f9457339bdea84ab66

SHA1
972cf1248975ab2a0f7ac5276afea479cec26f97

SHA256
22967cb9831741d097770405a663f387260040e9b42a3a6d814b9b8e1541ac5b

SHA512
3e580d24bba4c35391a960f75ee4f533394b9539152c15291a1132667e7378201a42e2c3b952b007d65f0a6913142948d5eefca2ab2f0406606eda66557fd886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57608f.TMP

Filesize
2KB

MD5
f17dd383c8676e8278df4555e1f52807

SHA1
c05d24e34597ab70955806f2cc8333fc8268f6b8

SHA256
5cce19535dbda5de3a87b5853ef092e281c10b1ac94a8103adeedbebb269de8f

SHA512
a6bca5bffcdef4b078f4807da14acf8dbb286fe1d71e591f59c7cdea0eec5ff7f4ed9eda8a55127e1e8e12c990f74b08e243fdff9796b525965a5c6e3328f116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6e7e52dbed4926a1473365d8fa1f670e

SHA1
d483214982814dc607c05dfebe07b4773834f0bf

SHA256
acbf3d459804a910c1fbd43c87bf91fe12b3c647080a64294ec9e6055c9907db

SHA512
45f1505697201b778421790aaa533078fe7e978749fa1c5b70b39ec696841690179203c33bd1dacfb5318a5476d08715e46a88631baf6d009c081d907ac7ca61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
cd219d030cd9dfcd09cc44174c38bc8c

SHA1
ad0a5c5fdb5dc4347e63bcc07cdbc2020de28a1a

SHA256
5503133aa398883f4f7401a7e664ef913793854c70a8df27f2feab0d84f196b8

SHA512
6b1731540c2dad35b9a965e9326fcbf09258538ac8609e5610d8a3afc48c8822c60b7e9ed06c23de4e31ce6d75285f548f16dc0e78b5893dc2b2bd55ba8acf80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
f1f28c768e9ff58bfd58902a18a13fbc

SHA1
8b25d2af3f011964358012dfa20464b5c4715ff4

SHA256
2e8c1f29484e5099a6dc37907f09e2421564f3d8cba841fcecd3e84aae2b251d

SHA512
7fcfaefef869eb2d0e4948f985bee46ef362c798b5071e90fd4e784580d8d4dc4e05e1793205c51a3f51222cdb231595e620bdb0974a3f01f3a30406239b0d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
515e7f7bfe65e6cc8b1283d6ed5e9251

SHA1
0d35b3f5eb82650592815f5156730631c6db30ff

SHA256
8edce0208c539224bf027ae779e38090d3360b5474696b88afd078e86409e7d2

SHA512
3a194de1220016a85ebecb91b96e45a08c2c0a74cafbf42bce207a788b09c2b58984542b7f6d5da74d909fa30d551c1883a40c3a8a6537eda67a22c9b6c278a4

Download Submit
C:\Users\Admin\AppData\Roaming\46779a4f46f975ab.bin

Filesize
12KB

MD5
f9b6eaf415435d89da3666c02efd1adc

SHA1
aeac2e60b4edd7024b58920a88b85d63abd98f71

SHA256
45b0ad070eb87de4e5043dde2203a23b674ac4a3d1ce991c7c8cfec84506b7a7

SHA512
8fccafb426dd806d5c85d9d7c77a5c2aeff0f7e34de8a0b3ce20873c40c86c8872ee7d74fa8208caa853f584c2821bc05e9d3b61116ffa17e99c4d52cb779cc7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f00e8d932291a322aeeca557528df83e

SHA1
c125a3b2b0caa2fbf145f15a59ab42e3d5657608

SHA256
7548cad61af45f2e7083ec10dd8d46467236bb662941ecf411e3c82b04ddfad0

SHA512
0754c2ce4514c529c76e3452f3a36b2f1aae213281d642c8517ecee7c56bc102a7c7f8f0e36a7f353f7149d52317650a62c0db2896d5c1884c4a0cffe8db585f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ffeced640a85b26aaa969dfa9b9ce8fa

SHA1
a7a0c1c8deb6c2ae0053531ca289fcce109966da

SHA256
cf98c8a96abb2ed2efa9109c65f4d4f02677a0e0cbbf15ac79e80c90be639f11

SHA512
c67cef447b1f1c3f53eb16e95bf76b902b862040f015671ad1d6445db9646a65329336607523bba1a411032f57451708569ff5dd8059cb1e3650608e76526248

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
41812709c2c4295f26473f0ac235bd64

SHA1
4a78542854ecad065ba480118904169d45325438

SHA256
05a9c8528c71c5f4ff96fb3801e6860639491c5ca32a460e0229df354c8684b6

SHA512
d6fc2aa35a342cde6e0d0be76d5c77cae6ec19ca090d2bb290cf3dbe18051f33d2964f44e843d407c0981d55878fb8ff370d305f60d845c57e50dd23e612f8cb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aa98fda0738403046f86a8b67fe713d3

SHA1
796cee8a74ce9d2a753b3931e5b3f046d0ad3317

SHA256
8e3950dac2a9d8660f4d09360ef3125ee0c370cac5858bdd38b8a7bedd8fae08

SHA512
870cdea1d25c6f05ba8a68c98014a6a867279bdf2944a3d7194a2415c40f94fca270ce6701a3e6ad2ff27f2fc2c760b35486df504ceed06b545ddc56a5115974

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
75f2a75c7f0449bb34a2796c14721c94

SHA1
7cac4394a2482acac8c9cdb01e61fb8857f66c0a

SHA256
91793ae341e720ab795051cb46c129270e38ec618593dfe213b3b165be4fdd76

SHA512
8e167a9bfba25b2f4c9f6a2976b6010997080b9e5da3967dad5aa100bfca2a8d726e1f10450d036e51b3c4c65a4cbb9ad92a69fc58782d4034e7b31a622d7567

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0830d781ff3f32a348c5a945cbe9941d

SHA1
fe654dd005db92bfbad439331f8ea6219d4890fd

SHA256
70a11478747b74abeba73b17b4613b8e78140ac7de26e6b00faf43192a2f1916

SHA512
2fd7812fcdea268261928a3475aa95db4dda0e32f8fdc7faf3700150593ee22f741e9a734cc3d4032dd13d70a060e782094990084b31f52d4daf9af19a6abbd8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d1abfa03919a0c7a892d1c06a3bf098e

SHA1
456ca9620e4d559ef7ebe1ef770fda2d9ceaf809

SHA256
9f629bc091a6c8a517041aeeabfa5ffa160f2a71ce93b521954ca79d72e6e754

SHA512
22edbe3ef05b0ac6435dfcbb53e9195edc884374b6750e546be66f4a56538798389fdc0fd1d36fbe86b2953142013e60bbc0d7ae023be7ca006c9b243014d140

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5b9e28407189df95cd42da2af2bea4a1

SHA1
599614f4ad45ce540a1bc65dfe33128cab60171e

SHA256
7e26e1f61cc0f3f054e14178b92331170b200758cb128d025f8d5a183fdb081c

SHA512
20498b2ae12beef066367e4f2eb30e06a7a27ea41a7991aa07768b1622b19a9503394cf6ad2a18e5f1d918ecc48b06255b8cbba59d2699dd567de1b3183b2aa2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d00ac2069e559ca75682c19ce3d100eb

SHA1
d0977df5a2f878eea08523db75fc9c03e76c431a

SHA256
4963895613b13be5e612eec1d77f8bb903c95247b1911917638b4f21e50ac675

SHA512
5bfe43eeb7b90257365d3b23141416f9bbab7bf4d9a7bed9889d3394f738a148a0f088857bd975844f5e5d9295b01ef5cbc5f896df0498b73cf843df6e0dd976

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9b6f413c238dc67d60744ef02871e67b

SHA1
1f33e64dc17e48636a7aa02c2f5a9aa07d8c26b0

SHA256
a91a94ea328c611d415ed80d1e2708ef240398fa7c24383316a00c7f66e9a92e

SHA512
ad8a94c6c199829f22204251223c67913379031e7e3f03982bece100d32b21e9342aef87e8beaa5e169129b138d51f36f4c01494697c04aa2f8397536f136bff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8f6f8f8a958ffe3b0e6c33e1b19982f1

SHA1
d1a51e55f5018e6546bcd8c75e84110077354dbc

SHA256
a54c75ceb15f6a7553693075036710e2f186d90bc8067c2a4ae39e032fa32f3d

SHA512
d7b00b0b9a3706d30cf6a7bb20d827f2197e1eee19bd1e09b2d045e1ef16d1656dd5d0c5769d796e2ae035b1e1f57f44f482ddab698b411738b4f628efa741b2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b4065fc337acae5fbbcfbb6d5362da62

SHA1
2fd5626df60f3335b5312fb56e2b1106eee1540f

SHA256
b238a9f1b3436937e3401717c66a805c89032058b4f842b83684f16db279e35d

SHA512
29e9b25b4600d8b2ed5a326bf96bd2b8769076e5e972ac3427a39fcb22ed4ff2e22ca6dce3706b0c56d49bdb257aaf73103c36c270f98149fc1d307aa3cf6491

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
31a2173ab04a52d6270548d5d9612a25

SHA1
8034a23822a4248f75d37830f2314869816b3a82

SHA256
07a8e5a9cee6c41d0d391be3d5df3f1297eb63f1ed55766ef82a8c273aced627

SHA512
2185a358688eb33f31aa743df3cfeb545bb9a29259f7f4d2e9a2f736ebfcbe328fd9b39fa0f84b7c203391d73106963ff8ae277684594e55225685c54f2c271a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d9810a5ee8f611ba1f8001d6e33daaaa

SHA1
b9be110e7fc9d2aa04e3cd51f3048cbc56371b77

SHA256
0411667fd27a7d0e2cd9e07aeef41c95e2dbc5db9b6fe4329ef5ef808b2c4680

SHA512
91beb7f3435e9d52bf5ebc793a149c78ea42b7bc6d1aca648439903f3d2e448c2923da0772b508ebfaeda44b10d1f6de6dbed3d007eef0f033857cac2fcd68d1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
798b1c8250fad1de7c0ac22c2d669350

SHA1
93fcdc0f7185cc28494bc37a3a8ee35ff97c07b0

SHA256
e5c5f659ae84582fbd4a6db59d89d3ba71e572bf3fb96e32561cde77f3775c55

SHA512
629b95dbfda75f7120f86e5fd56c11d5eb6ed6d93473af9a45aa5ace72c1ae5978814f22bdfeef64f88fb7e264c83799bdc1dfdb18027dabfff641e492d3eb80

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c9ccd6c3b8a769c3a517ecae2264c0c

SHA1
3cad67b47e266a64135c3493a1a7c36e8e105068

SHA256
32c7ce549c51dd75bc3afe991c27c6c0a3cdd6ea64d23137a63eddad15423981

SHA512
79f1224afcf031e80836f808c432e8307746c3c0b6a8be7691e9c701d6665cbb52aa78ae75add2c0b5ec7a7db70cad37a83aa0e41d0313cab8f57d14ab13a42d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
aff079c34d4a7cb2d4f7f4de64d9a828

SHA1
681a5a6e7152cf2b96308148fa66c442c0c611df

SHA256
9de2680443bfeb6effe37e8193e7c6f890f0cd9d54e8a3afc901d0d77b3cc9ba

SHA512
7fc11a0913fee6f0a29c5d42a55d89adf5ebaf3c08ce359809f8ca09a7bab3f35abf09cf3b87c51df5b7dce00f131c2fc889cb974ebf5160687fd382d963420f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
36b4af1b73f76d64b45fad8c936e4684

SHA1
a8b69ab86016dcb4e59fca1cba1c590ac0810bb2

SHA256
27bd6464fce6b3dd5deecffb9966cb93865c6fa612b128b643ca28d6fc379903

SHA512
84d53e2f04d21097cb86a21e9d7d8b6b1b130096db43722d753a20ad6912beffe4c05ff989579fd83d42aa23b02d2795c7f55bc576f41a4464cf3918bb4c4743

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
93639f5ec6435bab142797333d625b68

SHA1
f1e8d9462ccde482a58fcdf0825ad2f234d84168

SHA256
003bb916b42cd772096ff0306a9ae0c724b6d41fd3a7f1f30508e651973068be

SHA512
e7ff808ada00309e48c2b5921ee0d0ce5a1c608889c34352e831633a9913879a236ef20a640949a470c652f96b8ab4a9765c45cd14fbb9da346e4c3af68748b3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4ed91b691fe4098b48734b23cf866bc6

SHA1
7b1ca23642b80e442c352a5d70bdbc87d87ea38b

SHA256
ad242b59a4df2d89e371b90b93db321b733abaa681924101edd14f72f185de15

SHA512
2161473912920d1d3252ff31826bf4cd13649ebf91d2436f1e87dce9d70a6b3d19648fbdba630810c1f89e1b5e6a32b0d60fb7d0428eba37f6773e418c5daed5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
704b40a33e63942bc775a7f472fd06e5

SHA1
1e17b8d79c5ff43db043daf3e2290f2af37fbdf7

SHA256
e4a072e820727536656c0cfaee4ac3b2c34dae1f1417dcbbd4736c63bcd324d4

SHA512
9e4514baec91e422601914abfd11572acdbcd439d3d7055bf94f5825621d9856fd35c88fe403d27f7efeb48742d6f646154e477d56809690a232f84f5af7a4cd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
44b51ed80e5b02870c7bcaec94e74ef3

SHA1
162d36f2e04f5d4d7dde7000d37d747eacd484f4

SHA256
4c7faf0945cdc4f9685fa3f61179438c255e6b66dba80713c7f6b761c6713781

SHA512
5a0f8a31a2eb85a0084318f6bd0ecc4616a16bcaf58d3621706142154ba448ef4945c76f0e6676e1e7948d763c041cae6ffd1e070983fee91868f0137a1b8a3d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
b119ec8d2047b41f6bf8eb14688b033c

SHA1
6a343f89457d0c384731537b54c3b98b7acb8446

SHA256
b9dade84141d74520162f4bdc9cb2f2ec910d697e57530a53e52ce924d53f759

SHA512
0776973dbcd2b9a229c2654b20e468e856fe97d2a4f4e5aab96624f1a3473a15bc40a2521996b8bd4b526ba48ad573aebaa980b526f3275b8bc91f32354d2600

Download Submit
memory/920-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/920-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/920-246-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1004-252-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1004-341-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1004-261-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1336-169-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1336-175-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1336-238-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2004-114-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/2004-116-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2004-125-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/2004-130-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2004-131-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/2084-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2084-163-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2084-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2140-29-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2140-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2140-7-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2140-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2140-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2392-92-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2392-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2392-84-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2392-83-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2948-251-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2948-180-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2948-187-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/2976-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2976-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2976-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2976-35-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3220-133-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3220-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3220-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3220-62-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3248-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3248-286-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3248-204-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3248-212-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3536-225-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3536-232-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3536-296-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3536-307-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3620-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-73-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3620-79-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3620-93-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3620-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4500-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4500-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4500-103-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4500-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4756-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4756-135-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4756-144-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4896-198-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4896-274-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4896-264-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4896-191-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-23-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/5060-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5060-11-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/5060-101-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5268-265-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5268-275-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5268-356-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5380-294-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/5380-293-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5380-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5380-288-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/5536-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5536-310-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5780-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5780-338-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5976-351-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5976-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6080-359-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download