kinsing | 747317e840f3986cf7285c6c6fe4f9df7f0d953b04a0e3fe96631e1df4c50192

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 16:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
Size

4.7MB
MD5

1c8bafc4ad3431c5526989fd5378d7ae
SHA1

800cc2727e98f500879063c478bdd1eee2d6aaf8
SHA256

747317e840f3986cf7285c6c6fe4f9df7f0d953b04a0e3fe96631e1df4c50192
SHA512

b2748c84f56d352f5e797b83b4e7fb1b576a2c50e93499220fe8462d7be09dcf29fa51f79e0794ec60673f60277fc4bd4b0437cbd234bffc920d98eced094a30
SSDEEP

49152:UiskYKH64vARJflh8zyZsSwE2bIgggkvpOXDVlmEE+Brvpihf41vJSYz8Xyx0/5:mH2bgg4KDVlBj1o3v+pFtFR

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

pid	Process
5116	alg.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
4584	fxssvc.exe
2944	elevation_service.exe
3132	elevation_service.exe
3772	maintenanceservice.exe
4920	msdtc.exe
876	OSE.EXE
2220	PerceptionSimulationService.exe
4544	perfhost.exe
4500	locator.exe
1128	SensorDataService.exe
2332	snmptrap.exe
3176	spectrum.exe
3808	ssh-agent.exe
2240	TieringEngineService.exe
5172	AgentService.exe
5316	vds.exe
5420	vssvc.exe
5664	wbengine.exe
5856	WmiApSrv.exe
6020	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e08b8f394d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e8ec29cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4556a9cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f400f79cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b86c3f9cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506737378895062"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009231259cab4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081a63a9cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1c8bd9cab4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070093d9cab4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df750c9dab4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a7b909cab4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
1964	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
5788	chrome.exe
5788	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3948	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
Token: SeAuditPrivilege	4584	fxssvc.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeRestorePrivilege	2240	TieringEngineService.exe
Token: SeManageVolumePrivilege	2240	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5172	AgentService.exe
Token: SeBackupPrivilege	5420	vssvc.exe
Token: SeRestorePrivilege	5420	vssvc.exe
Token: SeAuditPrivilege	5420	vssvc.exe
Token: SeBackupPrivilege	5664	wbengine.exe
Token: SeRestorePrivilege	5664	wbengine.exe
Token: SeSecurityPrivilege	5664	wbengine.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: 33	6020	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6020	SearchIndexer.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 1964	3948	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe	84
PID 3948 wrote to memory of 1964	3948	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe	84
PID 3948 wrote to memory of 4028	3948	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe	88
PID 3948 wrote to memory of 4028	3948	2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe	88
PID 4028 wrote to memory of 344	4028	chrome.exe	86
PID 4028 wrote to memory of 344	4028	chrome.exe	86
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 5088	4028	chrome.exe	92
PID 4028 wrote to memory of 768	4028	chrome.exe	97
PID 4028 wrote to memory of 768	4028	chrome.exe	97
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96
PID 4028 wrote to memory of 3448	4028	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-25_1c8bafc4ad3431c5526989fd5378d7ae_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=121.0.6167.86 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403957f8,0x140395804,0x140395810
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:2
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2576 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2568 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:1
    3⤵
    PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:3448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4612 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:1
    3⤵
    PID:4660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:4080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:8
    3⤵
    PID:5740
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4060 --field-trial-handle=1908,i,5613435044509199217,18403783174525817909,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80a479758,0x7ff80a479768,0x7ff80a479778
1⤵
PID:344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4784

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6ef827688,0x7ff6ef827698,0x7ff6ef8276a8
1⤵
PID:5464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ef827688,0x7ff6ef827698,0x7ff6ef8276a8
1⤵
PID:5564

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6020
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5376
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
1⤵
PID:5524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5316

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
113KB

MD5
b6689f3007efc55574fcc7ffe0da862d

SHA1
60ddff868a2744003f17c708ed32cc2c934ba1fe

SHA256
ef25792a46fb2807bf19aea067ef6095cab5806a22be62d6f01c73222c6d4353

SHA512
3809768d74a997acd2a2555f8fb25291bce7e987d01df34c8a3cdc2d42ef1c59271f6b0739318c65d38d0ec172edb70828d2d6ec46c0e869f55cb1e8a038d20f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
95KB

MD5
5171e38f6d726f2a2005b0b25f264497

SHA1
34154b2bbd441b7d4096267003a62d71f7643836

SHA256
4968c40ceaeeca5d4d9e26d1d5aa04296063aff2c3cf53da724b655370ad7119

SHA512
c0568f706de3f33bc68a125bcaadef368edf65205a2aad4f37deb5b08273243f4d2fa2034fa4b520d49fcdfd5dc71f3a405cbaa6ba2f1b650757b2fc1d1cbc30

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
100KB

MD5
0606f25934c03eb1052be3b4acb19e74

SHA1
5440ea081d9436d6b5aa441aa184499d5c227091

SHA256
cb3d1f53b79fe40a067332f945b2bdabffbcc53ebb894b07fc7a8b4c0aa760f7

SHA512
9f2ffb69d8999c98af495ac54b77b3c3c20b4e0219720afb7faa81dfc7dd2ad4dbc3e6a6216147a268feb9640719f623913a03c9e7236b86713ce0e514cdf073

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
196KB

MD5
f2287fe4b3d5e20cb702269c66b3cbfa

SHA1
114f9ef2f3713d0ddd8658c438c27ee932594c5c

SHA256
d12106e15fb880f4ed2f222a265609ccaafdcc54d67f5e697288cccd3246df0c

SHA512
c1eece2ecf6e6519c5afbc9e00e56fa4774838908d52d3d70a0cadf6a498cedffce6569aeb0a0d7a5c4b9714b83f3ed822cc4734d09ec3ccb403efd73dcd8cc9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
383KB

MD5
018c57eedc076cd7defcb5bc172346f3

SHA1
5c67a1a8cb94a4e7733b7274a937d0509016cc0f

SHA256
0f7fd9f7d1bc28c1121d48afd8887eb4d1a6c8244aabeeac00f89e18af3c8f54

SHA512
b689906f63730763e1751c5e1583c54ff7d5b565426d4eafa662f5fe0cb1f85c6087b053be4c54f173951048363b7ab0bbfa0c7580b2a8e2350535eeb5e5da18

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
123KB

MD5
e02698a8981af860dd527d877587b911

SHA1
c73aee124dc499c5b28e4ddd63755d8ada6ea587

SHA256
b6c1a7164844663af2f29b1de790d83ae568cdae8730e8394e6b1a437d93612e

SHA512
f87b708fdf48dc409cdaf609c4b33b0b22eead0dcb79e6ace6c03d04250f9721bb85308b1fd5e9f3f385d54708ece7b41d49e39dc365825191945970510f8b70

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
276KB

MD5
a8ea52490e566a03d2a6201575e50eb2

SHA1
9e9d83ea416c5a1479b2661e590918ab866a6a3a

SHA256
9145fe7d9a40cb78c4343764ef2373f6d88be56aeda45aa24bbcd447b37a1e9b

SHA512
cb171774c1e1af04b226358a41a48f7402315a67573e9eb769a8b4fcb42857bf2e8306bb3cb608fc9c6af4be96788fa0cb8b4e89f1acd18b085fe4e0ccf09dfd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
166KB

MD5
b28ae19ce66007feababc25ecaa987c3

SHA1
b2b29a5481b672dfaf36b924a68fdcfca85a8350

SHA256
8c0f8e3d7944f73dba8eaebb9b56a25acdf7dfa453608db366f1f97987d0ed59

SHA512
3dab2df0bf279d57eaed7167afd81fdc4dd50abdc7c6e3d52630f3f6751f8d5815748488d92c25335265658f5e3f36cdb196f46a0ef3173abb245df8d9c7f29b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
129KB

MD5
b18c8b64178642219189d4b6ccef6080

SHA1
be3ca378340204dba5403bdf252bf3746603edbb

SHA256
ddc2501d37f4b6e96f1c038191b635b4987ec08370e2c0e366507486195e0fa4

SHA512
b8c40f97888af6fa6136983d7337d8791bd81e202f554390ea689240974bffcb93ef6fa93308e4bc24f45366f687ed3ef2c6d0f84ad982a5973de68df286f6e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
182KB

MD5
fbdf25d2dbc031ad569f251cc0e7656a

SHA1
5cc3ae44495df97f94d9640c62f7ec31260414a4

SHA256
81151ac92462f5144a57a4185127025aef03275e41bb31f2081afc3b58419bae

SHA512
0ede2da37a701b6771354e44d24c4751e58aaded68654385d3ee41f5fa9bbecb4804293732dca3903fb6af39b7e0ca2c17c956949b81be4dac34f4e2ce46fe09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
530KB

MD5
1262009b1183b922723f1c23901f4dfe

SHA1
90e3c8a36679722700c39c71c14445ac48e4f420

SHA256
84187199bf9e4993eba5577523f5a6d80e1930ea9ac2b691cdd73c16ee149ceb

SHA512
0d89b5559ea1c3f2e875d81cfb0845d5ec71a7f5e2f9f0332c5e9dd36aa74c1051e2685d3596d467f543bef4c0fc4caf66d3a363c09504da680d7851ae6fc015

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
247KB

MD5
fc424dbfbf6eb84ee1e3d401293c4ca4

SHA1
66a669d080abbd6840eae6ed8adba2e71ca1c0e1

SHA256
fe25ffa6cafcf5a00cd627968b319bd9040386b7d85b61f7946d87760b06f69f

SHA512
769250d67dba8cbd3d6a98acf1ec5bf3733f3b1d616860aadf390fd8ea26dc269606fdf18352edad24e7eaea7abc0884bc9bbf202e3222fe44f03ffe12edc49a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
114KB

MD5
0f985c83efca40cdd534b3615b8460ee

SHA1
cfa3e9a277d3a1d2e992ebbd0980a150e36e551c

SHA256
2bee55ed136ad394a466907368652636bc28f4de27113047d7ab4f9736aef928

SHA512
bdebef9b978b5aae01643f07997425cc685035ec52f3a51bdbdf9901cbdefd70189689c793a89b135113a5057254fe4387e2bd275afcc17cffba60b726bb970e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
167KB

MD5
5ef6987e720ea9910aa2bd4bb6bd903c

SHA1
27616265347f5a76d3100e45d8e511c06922fa39

SHA256
38f30a369b5846655635469070fb00ee57134c7744a540b95e67bd796dab6662

SHA512
ead35435ab9ac5da20e5e556ff278cfe5c63d34d2ce29d89a7611dba1f7df07e8e327a07a0f7fb70fb7d6f2e490edf32183e7923b2f54f8360a5af9940c84621

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
64KB

MD5
241c8d9af4ed64ee0d7030c94bdd3514

SHA1
1cec18edc1253f649de848a366d59ca4bdafe44b

SHA256
aaed8f454d7430827cfd7e961a11648bf1555f39e0796a3b4f286f1f09627f0a

SHA512
6d0698bca5edcd2b9da30c3b6a9f79a18942791b3f6a6fa877bacb596f8be56c829ab680c7109883dfe777a8983dc7814ea6133346aff88c0c7a9904f21cc02e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
149KB

MD5
c6e0befa5d8731a4d768d85a80e56c34

SHA1
ca22123bdda31e9833bebb1cc35a06a88417f55a

SHA256
c8883f939ede2e75df0b4bfeb315318078faf22f9d984068b43177199cbfb407

SHA512
7355235b0bd82df0301887b1b45c9b6746943a23baef9855c532e02b6a513753a2102b8077d6de53ff8a46844bcd3cf29e29e320dcd6a245f920284bac46eb52

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
322KB

MD5
6a535cdf791e1e878c803393c4c1a90b

SHA1
b2cefa1837571e086d77077dae046d11067abf11

SHA256
6d9e27ca3a3ec75d146c20e4627a53bf0868d420d63453c1eb8505772b56ece7

SHA512
5af78ef5c3db36881afc343169f37910b3354ab974d57ed6606a7e00f77fc47731ec908e0d625ee8511d5e14eca2a5081267b18915b48101bb7a7b4223e76625

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
159KB

MD5
de47f8789afe3b6c59984cbb4a59d843

SHA1
53dcf2cc32904d55a839db837bfdff2c00de9c44

SHA256
ff08fb9a3f21991fb8411d645d7cf3f524a94d0616540498620e8ca9bedf1971

SHA512
5c51fd09b39fa2f4d90378ead6c1c2afb81d6923bf7b9e0ff0469b77fa0a31c2e15ac697e3de4255ce80399e2aec5f3b54f571d591d701e68d07e14420f29856

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f3384c77-f879-4b23-a7e6-52f0197b50f4.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
149KB

MD5
7b47e828036e798b76b2d20ec22e3de9

SHA1
07a3f10d98bb11757aba0b43ced1c8e9cf977e83

SHA256
ad9f1a7c3ba01372ff2d09e92b47949b2309b57afdcffb880dc00bf8fb01724c

SHA512
f15b37be7108df2a7d68338c07f0716197515ca3561c6c1cea14920b9d18e44dee377652f0a348c88be68253d06a620cc7321f38cb15c5fa5d954c38e80c8097

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
93KB

MD5
6b4a209bf18985b9c8931bbfb5231d21

SHA1
77f3d73ce9dd1a161e4d44a93d589e38ff0abf33

SHA256
18575e56908d94c2c23c3aadeed61762e13dc0a52faed8481b1da508508002c8

SHA512
8eabd66717a4832973f6e2448eb58e9ecf43e068fde30c1777da6793da5ec14e093455a6e52459df3983fcb04ce80a24098abb7a8aae422f620d9a8a0b3f3986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bb2cdf82802bf69b297c9fae3fa48e85

SHA1
f26dbf7984929197238377b2b3e37f974447448d

SHA256
29998264d3f24068d6705e32cb6306f042797a0025aaebda57b3c581a49be0c7

SHA512
00535865805747cb5fe10f4f67872b52e94fd0ce51937f94a7662254027919b13df4af538557116cd4a8002afbeb295c601a79d5e64c8d2d2de9cf377eba1db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
77KB

MD5
9e09550c722377e5dce9b0697312c8ae

SHA1
d24e186d025885c6af6317789647514c648fe90c

SHA256
d176aac9d56f8b01e147461fd0c6c1f05f294f11cd78082885a2c8f646473931

SHA512
0f800b11a4b670d9fa8e3195629ed01fe91c6b415f72f232a77e7f55d68be1d4602e06b9298d70ed84ba57342286f7fabbc2820f8c8ee28679464f0299bdbf8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2ecd1845c726f51b8e1a73014158fea7

SHA1
dee4ca6d075ac48f4cf0ef9583758465221254dc

SHA256
1c1cb91abf4fbaf05fa97f23209d62535e94cb6d8192a4116b654bea6f09bd3b

SHA512
a6e6c50d10e54624f2e4d39a826b32261e097f44fd3a9caf43caf4dbba4ee091e5345220696216ff931f79ee73464835b8a8c6f7226df8b4441bfc5f478fa0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
60e896ce4c9998fe74a99714a463d6df

SHA1
351933620e81ef5d19687dc4ac4132b684a9d8d1

SHA256
f9ef78678629b09ee76bd0f76f3f020307f8abb71970c3ade2f901b25b9eaeef

SHA512
3057f45ead583f94b1fdb75de3d30611cbe8f3d5d0361a06316553cd14793f92aaf8e8b3a6fabf08dc754cde7cfe1caefc82bf47c4f513d39137553980ca383f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e8d7faa205144dab3b8e76212eb99b12

SHA1
734c97883eadc5d8a4403f30bb7eb65e63bba51e

SHA256
bc801e24f2c175ddf03b14982a1fc5d7654551323f0ca3212abea3aa9c28338d

SHA512
bec0ee374206be7a7ab3b69e3348b610f223f2dba119c5223494a8dd7de4113db796f114ff7afce0519e6583f81292bd6cc72e2b29558641e2c98458a85fbfc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
05202845ba75f691d57c1df3fa38722f

SHA1
f480202e3e95050fac3b84051bd498091c543128

SHA256
e48e925d8faef6999b88ba8d38ad9ad1aa75fbb3ef78cca5ccd4fc072f3362f7

SHA512
3c3f9f79b1f6d1e7cdf3057ba86d671519055fcf61e4b9de3a4da287e763a9860da8b8af28e648ff37c6776154677ffeac5e7672d629b31e252d1dfca62c3012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cb02290566f1a789bfebe3142e41fe07

SHA1
fa4a68a8dafcdeb247027306c7e6d8cea6b9aca9

SHA256
a5e1bfccd0dd972b5871f6cd1fb9cd2bc1e6b108e469cad73189dd8acf1a79a2

SHA512
b83537c0f0bae3819845ad950f7abc9836a16e7ff18b9ef64678a1136133cedd8e7f257e09bbf55374e2b4fe2ff3508d038597541b9b41a371c8c07b39308598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577177.TMP

Filesize
2KB

MD5
290e9802629398a9ba56cfb50ca5f135

SHA1
3baf9a4863eb4a435da55f93e82a8ebe7a9f0106

SHA256
bd3b2b7f2fb53d7f94ee52219c2d5bce2b8fc511ca64df36236ca30e77e74f2d

SHA512
4eb9a305aeea0b1bf7659dd87c24d251cd182b456b18b776f3f6686fec05586cc648614b8d9090685b7d023d61dfba1cd733d357e1b3962e6be9789b879f7772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5482f541d902e9bec22261bafd717604

SHA1
c35137cd94dd8b0b8c8476322c59375b106217cb

SHA256
4bd7f35e7c52c45175a2a7f2d8acbb1d0670125d9f0501c6fc97a45a52d121fb

SHA512
7c088d1d087bb40583ce738ebb34b52e973acdcaee13ef25a5b1035e2cc9009a9c3c7b4d8c93315ee71ebf9baf81584d360ab1f894d5bd1e3e80c5ea26ab5f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
186KB

MD5
7e0add282bf41ea2f48fff002a286fd2

SHA1
347173e1cd809feb08978b86ed5442c94bcb8cf8

SHA256
c528139c66bddeb594524086c3ce79aee180f920360fdf03c6d36ec17be0dfe9

SHA512
18e715b6edf5ec874dbacb6a23a3e7a51129eaafbe404d74876b2e393a9c4685598cf5e45e887095a67edb64edc8a8c9d5f762df98df11c872b2127595c92017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c74fd29e9d49df3484bd120de78acbb3

SHA1
e93a170bb8cb3708b70cbca108a0fdf5c20e1fda

SHA256
a00649ef1d1057dd3b7432045ac66960f072727409ca1efe5024727d22001f29

SHA512
c969201225adfd566bafa7cd4e02c61b5cfa7756e5bd2f33a55d55ac045867764212d6f8c82915e80acf6479aff017e8b2e1e81da861342a58832d34271a8969

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2951b1174af2cfac98fdd8ed07338589

SHA1
166d589b9e263545186388a75de6215392cf14ef

SHA256
6d9367ef194792c3a3c67d48f5b7f92047502d271b62aa309ca04a8bd96aa793

SHA512
b56debd3927c6c1944be99dd66f9c7c2ae8259ac851a0d6c359424c5d914849196ec129fccc3a3f3c68f81171d143c7aec983000d79a285b775868f2436926b6

Download Submit
C:\Users\Admin\AppData\Roaming\e08b8f394d74bb6b.bin

Filesize
12KB

MD5
f199fec270567b8e121e89dd1a3d5acc

SHA1
52dcf7565e79f0f66ef58f0ee0f3198b9b806e49

SHA256
b526c12098b5496a229746ae2cb6e0e320fdd94cd253e69f408f628866059e5d

SHA512
8ebb9bd655a87ddc610ed37dc9fdb943e14466685c60f697db1b8835856cc7be15314501882df763aba83c2ce88b9367015853969d020fae72072d011f919867

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
381KB

MD5
71ea0bc09cd6062b9d99a6b1fced3d1c

SHA1
5feb59054221d6afa9b64b7194c2437b0015c670

SHA256
6c635e6bd3c68cb7a2475d3eab168987a69c77d758ffce0b74701572a5318aee

SHA512
f4730d94d910b4f64e6d77f64fd6ac24801720112b23ef7265c768f84024908fb738a0e35e70d99715ea4a90232919a35341c9c00c229c59b80afb3292d7d078

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
35KB

MD5
2209555e986cbbd6b11ef5c78329f47f

SHA1
008a9d81d1a570f798cf3bd3bb49a52e04b81b84

SHA256
67ef58933ae580f96ae6fbabc668b3d2649ad9899b4841b7b40a0ac959d6d3db

SHA512
8d7a0c484d80d2175a6e9b7e146c9a693e42e829b3b89eb04e5e9eb2d7a3c55459d1912f140b15ffe25cf9ef85d5c8bf9445e356a815c7887b577b4a97b21fac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
189KB

MD5
b0b7bc2ec9161b72619ac472ae6c6174

SHA1
e0a4394bba8ea43b08cba426947e7878e1588f5e

SHA256
fb99ba8bc4e6566eed806460d59048a618bb29b0270881e2a2ed16533a364f3d

SHA512
bfa7cbefe28c347bc4b01322b2388496389f95f9a9295429ad996079c2b54a389c640723f08c4aa5cfd182cb62cd0e2c21383f5ce2fd41c19df33f8a14912b07

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
221KB

MD5
d0dca433ed3e2c91ab53c94142dfd6b1

SHA1
d78a2f03e97ef1e59b1df517d12870d9d23ec494

SHA256
2726e108743aa928d6a76d7ce9b01da94ac6c1640c0e33c2293d65e69e726a3a

SHA512
01a12aeb0004c072541765a50aa900d3d3d1982e69167c8c73344a66bf39898f04f3eabc120fed1685337d634642153a9a650e95ad8d983c5529455c7653268f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
300KB

MD5
d7111b0c6cd573decfcb59693441adab

SHA1
48aaf9303150ba23af834b5c35fded7118137e36

SHA256
01988c43d7686c6022af86145239df59180e97ee14dc3de076cb876cdb44d4d2

SHA512
6b7b82ebf633416b8eff9268904948584b3056de22c928feb6db2cc73e8d8bddb0b27340aa28f77731fe1ff68d0fd40f8f73f9dcc27284b6efdee44b4adb1a39

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
191KB

MD5
e23b8d064fe66bdb8c02e188dde09082

SHA1
e7dc567342896f655c59883b67a7e0a4acb5670c

SHA256
93c3a8424b77647937a123671d450a1031e996d81c4c0e4436905ed22d31b913

SHA512
3db3cba05a9d5dccfb10cde02b1bec9fc7bed5a85241ea85eaacdf4faf61312bd4c03c2968fc002f0c636aeb10bd415a72565fd1b6bfe4b2f670d82ac4ef9df0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
150KB

MD5
249c75e506c34622208533160c874ec9

SHA1
d15daab64473ba90b023ebe41f9754277d68edfa

SHA256
34088e5eb307e5318635205d0c55438f2a03485328b41cf1c3ccd5216dc7b72f

SHA512
cb94d3ee3e0a8dc9306a228cadc36003dee0f2de3c4c43ac9ee6d4625827afdab718ba062c8897511ac78fe474cd4a33f90d83f4710e8b147d3de6c6a88ad42f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
43KB

MD5
62228c49bf8265cd105c51b80a5f572c

SHA1
0edf92662e79417de73a7da20acf9ab9ca9651a5

SHA256
958755e6a232492ba946b150e6d09ade7d8b8c3769147829698f9b3942fbf16b

SHA512
e99496c8fd9ad5ef6461b12c1e258682dd857e45cf411458e6b14cf951c0fde79a22167818da5e80aeecda7334b02be04637b276ba49280ddade6bac19f4fe16

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1KB

MD5
bcfd03fb5b81580cb0a83cc65c928767

SHA1
ad524e5d00e1a00f7a904e01783cc80a4d7799c7

SHA256
dd530edb23423cb7f75f8b7d2951546da09413108939d5e15d7b1dee63710bbe

SHA512
4ba687c03a9ae22c22440dbf2ab54e67c7a0827527663970f4f39e3f457a9a9ee7d56d6ddec89ab17942221a967f0e74807fbfa6871efa313e880096a580555d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
92KB

MD5
a15ddeebae0512a8dfb3f2dfeabd86df

SHA1
a206f7e0ace290f0ba48a67a82964a88e2a14039

SHA256
d1cc410d0d23f927b695e372c0a1d8407412acc964038d4673f72c2eb8e61ef0

SHA512
2cb8475fceacb3dd23cee0c2a26f9ff572a96bb871582da15a785b7f4ad72b2dcfecb1fe73d611954c24958d83b4974635b63e890d48dca84688c7a9ad68da3e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
231KB

MD5
310c2f5d6ab6df4bca3e36f9383f8a4b

SHA1
9a1654ec54a6a55ab2d57c7377b6fea9d9d44040

SHA256
ab59bd4a92ca83559919aa8de49c7606e50d75fc0f11c5852719fbceda596888

SHA512
2777ab9f7d9870ebc65ac92007291c23d513313ceb95108c8ec15946a2d18b1437fe1e7bfdc67390e51cf0f8ee1716ed77cfb3a2b4fae24ae39ac8cdff40f6bc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
61KB

MD5
9f9eafa438109aa18a36e2af2b282fc2

SHA1
8eca496a9b0ebdcb8abfaa79f11c6387bbc3dc8d

SHA256
5965be053869130dcddcb7be04d736d8be1e800d23fbf5f4fd895407b684a92a

SHA512
7c02e0ba6d703276b5ac291ef1b0f46058949955677fbf305e5809d7ab2da7e63df5aa7969340fc2fc8af89e4c7e322df69977e61f8c8ab05a506f36db6b2300

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
57KB

MD5
f0bf2eeb192436ca79f6b608726c8ed9

SHA1
c38b985df31ba0b66fee2577a4238b5e0c063403

SHA256
3831722645e7bb2e87e194e6ab45045e13e3599622551b5a5275b64a39bea849

SHA512
c54583068b301aad869421e8b5a32f768f59689b72be0abc1316d920db3e9d3ad6e9b8a0373c3df7d2beea3964b46fb01e8e56d261cb2fdfd260c2099a3bb8eb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
149KB

MD5
2581fc72ca4b7714bd375289a963a3c3

SHA1
757ad722e1a511376947446e9edaf0c13e903ec8

SHA256
c53bc77cc31a4c66faecccaf0791dcf7ac81f9f0356f1c0d23547429dbb44761

SHA512
5fe4063c23f39def31323d48c52022cb46429fe692061710cae83c1b5e64aca77c52c7999265db28e26d3406f1d21dfbd4a07c2a6cd59cffc191ad4c60fcccba

Download Submit
C:\Windows\System32\alg.exe

Filesize
464KB

MD5
1f2df53fe3ef6104f61f04dba95cc35f

SHA1
8108758d03e483aa8f6480a79e31e61989831c9b

SHA256
3fc573c818288f8cfec128231dcbcd7e5fc2f5345e1d4dfe5d7a7a56a6888ea0

SHA512
b6fb14a10d2e17d16a245ced07df8e2d8fc8d1aa8c3cf19806aa7e1513b25bc19e9b672cab1c2a05ab4272140cb046c534f3880847ccb813bb5a751180a32411

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
110KB

MD5
43f893e8ed362c62da908100fca44c8f

SHA1
324da4f64ddf2265e0b92552b2a97949243ad779

SHA256
bd91d993944fe5f2978686177ced316754860544e8c72cedca96712f2f654f74

SHA512
736fc63411d9e60622ff696552c91544f8878e0cfd3cd728b5fa2946f438e1980f98926cf23d136c69663170700664e08266a4acec3d47802b9a56c28faf1c30

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
67KB

MD5
b704dd594417240f8f198f13cf287d99

SHA1
25a7e2f9675b4cf765f892a99b8c4de4a7c5e995

SHA256
051d9cdd7c5c41894fb0fd1bf5379693920f7626a68398b0dda2aeea1719bb19

SHA512
08fdc4858e598c749196788ba0298287c059099d65c736fb984f8caccf30ccb9029d5ceff27ac103450323f1349a9b9ccf2a393357e4bb4cefd5be5552f58bdc

Download Submit
C:\Windows\System32\vds.exe

Filesize
117KB

MD5
6923acd95928e19b561ecb22a1dd4664

SHA1
41ed295eff2d7301990a2bb7539de617ebcb718d

SHA256
af385227d5a5ffb3e0ea5e7dc30ca084bdc8bf8e597190edc66f1c9dc416b25d

SHA512
786e518f16e581b247213c8668c3957862d3c705314bb3da8c50251b89eac44c48a91f58a100d7a4571f934c8740358c5d13417ae30f89d4f7f0f1e15e73e4ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
109KB

MD5
592a3baaedce0f66d6d960783017cf96

SHA1
a978649024e3e1281a210a90d25d0b7f267236f6

SHA256
71edbb87c13c0dd8aa9889413743d15ac3a0f45c81c929582bbc2f2994442cb7

SHA512
dc53f025dac9d89f90b1371c4eb03bbc13a3575ced63f42d8f83f54d265a02b484d36f9b30bdb7b7a0e30a035190eb20710ce7685067021b228f05b364e324cb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
6KB

MD5
fc6fb323aeb280dfb21361ddbea2e63a

SHA1
54cb5b4f83c7dd24642d1764f611ee3b13601e7a

SHA256
2359b5df5f750bb9eb553bc244731f5c840f4d70c9b6853797ff618179a441dd

SHA512
384ddf9d7702ee48ed1fc61dda6e1a41a5c05ae3b9f08a72e1e82559d84bffe1e689748c46d82233e96a85bb9fb00388758d9d6b3e4040ccb6d7510df32b1060

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4c673548cddb6b082f48537ce42f0278

SHA1
7077489247ee9e8640de79562dcd484db9f950e5

SHA256
2727141051205cc7df3e821fbc031eda6187e568a3507ee24d00062678d9d666

SHA512
6ccabdb781dc8ea917193221ee4a0b8b03f573eb0055470e68a5eba793e5a501a48ea3b0044780160ebd922b13159a23ea8f9c07d8956d612216291573bfdbb4

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
89KB

MD5
ca4c114cc1dca6140a384dd07e3645c0

SHA1
8a75b7268354085b887c66048e3334ad0bb3916a

SHA256
7c93cca3a16fa1ab5c8c660ae989d8b0e8a0eac5df61cc81684c1753af02ad00

SHA512
e21b82681a993b0fb762cf64a92330fd9d354a59e8c6f8fadd7c021df3fba1e5e813c3ff76036bd8baf98d56a2d72c27bbcc3207dd30ec4deb7857deebc0c49c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
763KB

MD5
524d823bf951004d23b5f0794d051cb9

SHA1
2d74af4a1b8a47d542000239e31ab6d0b53b9589

SHA256
b4e57a93711d90a7593df90e75cf8c092634f66daa6c571864890d46b96e7ed6

SHA512
1e289cc73c68e11738c91fd30890a71ce6262cb32c64e4124f7227c4dafcbb1f869780797dddda8ef81292ac6f46ce6415c5d7fe22ead77bae82ab9129813132

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
127KB

MD5
a70b19106410202b90741a10b7a00f02

SHA1
07237654d83262f750a4f9914036da6967de1472

SHA256
974bc50982f8d9d0119b8f3c639ad24f9688134ccd7b83eacfe2db5672a5ba55

SHA512
c37a5c3411be7f7ed55043be9d52a744aa392259cd573e459fa2ee47f93203617cc9b93f7d9915133c01988386b54636617fb2ee50e8173b683bc3c52c4a7dc3

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
670KB

MD5
f8a99019da2d025b1ffaa73892c26401

SHA1
ca2df0a3c4347cce24a24be6c3ec8bd26dbe24d0

SHA256
4668f4a32e32c670454d9f0e3e62032d80bddeffaeca5670f897ae6b7d0ce4ff

SHA512
9f53546b8dab5a578fb62bb93adabc7c7ff29b3945089e0b67b637dcfa50555bfd1af5e28659d3ef13c133962df81ccfeaf3477340c0bdd02cf9abd3a04956d4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
145KB

MD5
a5020724541671f5d2f387b9edc49c26

SHA1
394c5bad4b055a7967e54cfe3420938b5377f627

SHA256
c7a6824cbd4da348be2c351f53db2a6f04a112920ee233d0123907053b1f04a1

SHA512
06f5a8204d2214fc5b7d3801cef23713b6eb012d0bda79994768863ab3cf1124ae75c2daab4ce99d2a3a8c3a6255f5cbc82c92907e579e0f55e64fc3cd6a36a9

Download Submit
C:\odt\office2016setup.exe

Filesize
286KB

MD5
af87586417e004e914850069bd09a15c

SHA1
bc945265a67ac69fa68df8edaa5fbf443ce5818f

SHA256
6c7f99cecf484ca053ffd687392c61776277ebd6d0bd5d9346a5d421f4b16cb6

SHA512
5c281c407a6849ce643b16e2f5e09977a1f87e5d656c7bcf03ad8a4260e90760928b67290d078544a0d59e679465aaba6647667db5c9a8e557103c5d13adebc5

Download Submit
memory/876-225-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/876-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/876-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/876-156-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1128-207-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1128-198-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1964-12-0x0000000140000000-0x00000001404C8000-memory.dmp

Filesize
4.8MB

Download
memory/1964-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1964-18-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1964-105-0x0000000140000000-0x00000001404C8000-memory.dmp

Filesize
4.8MB

Download
memory/2052-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2052-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2052-50-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2052-132-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2220-170-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2220-239-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2220-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2220-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2240-254-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2240-262-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2240-346-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2332-222-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2332-212-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2332-290-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2944-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2944-78-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2944-107-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2944-69-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2944-68-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3132-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3132-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3176-226-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3176-303-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3176-235-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3772-128-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3772-114-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3772-113-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3772-127-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3772-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3808-250-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3808-240-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3808-321-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3948-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3948-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3948-36-0x0000000140000000-0x00000001404C8000-memory.dmp

Filesize
4.8MB

Download
memory/3948-2-0x0000000140000000-0x00000001404C8000-memory.dmp

Filesize
4.8MB

Download
memory/4500-194-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4500-187-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4500-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4544-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4544-182-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4584-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4584-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4584-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4584-71-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4584-64-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4920-133-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4920-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4920-142-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5116-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5116-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5116-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5116-32-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5172-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5172-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5172-280-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5316-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5316-300-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/5316-565-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5420-316-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/5420-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5664-334-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/5664-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5856-348-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5856-356-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/6020-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6020-369-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download