efd63bd5d4f07ff1b5a3365e1bfd80c50474400045af4542bb79c92c0a126e52

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
Size

5.5MB
MD5

46f07cb8a9094d6eda7e0d05e3693376
SHA1

2ef5ac1978a6219d4e1db318a8b2617687feffa7
SHA256

efd63bd5d4f07ff1b5a3365e1bfd80c50474400045af4542bb79c92c0a126e52
SHA512

2b1523cc2b36013be7224d395e7522c7460f4acd4976419be51a16e6876a985aaf61047de8f122346a90a80bc6d26c479eda869048de143173092327399e95c5
SSDEEP

49152:7EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfU:nAI5pAdV9n9tbnR1VgBVmzk4u

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1720	alg.exe
3932	DiagnosticsHub.StandardCollector.Service.exe
1092	fxssvc.exe
3608	elevation_service.exe
4364	elevation_service.exe
1284	maintenanceservice.exe
4976	msdtc.exe
624	OSE.EXE
4896	PerceptionSimulationService.exe
4652	perfhost.exe
4780	locator.exe
5232	SensorDataService.exe
5540	snmptrap.exe
5640	spectrum.exe
5804	ssh-agent.exe
5940	TieringEngineService.exe
3244	AgentService.exe
5384	vds.exe
5632	vssvc.exe
1488	wbengine.exe
6016	WmiApSrv.exe
640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f43abc920d6ff11.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E7B25CDF-D5BE-40B8-AEA6-B262657E7907}\chrome_installer.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_125265\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8eec1a0c679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afad3f9fc679da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e071829fc679da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa002f9fc679da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054938ca1c679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc9d3aa2c679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005688df9fc679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7796ea0c679da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007041dba1c679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9500da2c679da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553032734293130"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
3196	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
972	chrome.exe
972	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5000	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
Token: SeAuditPrivilege	1092	fxssvc.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeRestorePrivilege	5940	TieringEngineService.exe
Token: SeManageVolumePrivilege	5940	TieringEngineService.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3244	AgentService.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeBackupPrivilege	5632	vssvc.exe
Token: SeRestorePrivilege	5632	vssvc.exe
Token: SeAuditPrivilege	5632	vssvc.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeBackupPrivilege	1488	wbengine.exe
Token: SeRestorePrivilege	1488	wbengine.exe
Token: SeSecurityPrivilege	1488	wbengine.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: 33	640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeShutdownPrivilege	4060	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 3196	5000	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe	88
PID 5000 wrote to memory of 3196	5000	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe	88
PID 5000 wrote to memory of 4060	5000	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe	90
PID 5000 wrote to memory of 4060	5000	2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe	90
PID 4060 wrote to memory of 4348	4060	chrome.exe	91
PID 4060 wrote to memory of 4348	4060	chrome.exe	91
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 4136	4060	chrome.exe	97
PID 4060 wrote to memory of 3984	4060	chrome.exe	98
PID 4060 wrote to memory of 3984	4060	chrome.exe	98
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99
PID 4060 wrote to memory of 2668	4060	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-19_46f07cb8a9094d6eda7e0d05e3693376_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2d4,0x2d8,0x2e4,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912559758,0x7ff912559768,0x7ff912559778
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:2
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:8
    3⤵
    PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:8
    3⤵
    PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4000 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:8
    3⤵
    PID:3664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5128
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6bcfc7688,0x7ff6bcfc7698,0x7ff6bcfc76a8
      4⤵
      PID:5188
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5252
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6bcfc7688,0x7ff6bcfc7698,0x7ff6bcfc76a8
        5⤵
        
        PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:8
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 --field-trial-handle=1844,i,2747267570547917116,13536557636854903782,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
640KB

MD5
872472a6cdf64f5e20468dfe8f8820b1

SHA1
b50269eeb0df0f6159cde442097fae31bf4e4d84

SHA256
ea110f5b95640bbc4d072ac528a6b255fafd0ccd58be8b3edfdbcbd85506c131

SHA512
5019ecefe9d9b7f272b95a32c926df3a2a71357f04c04d8d89e1498268735ba373671125dbd982b6f64567738ce7018ad43fa7a59e7eb2d5f9af924b5735258d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
c2f3562d2ee6579ecc7eaaee86d4e9e8

SHA1
25c010a62762d09fa5d12a2a455e0f5c6c03f7ac

SHA256
b3980abc93e82fdcf09483b2dd165a5e267b7e422dacb0b28d461a303da97ee6

SHA512
257f89d0f09ffd24791a88ff4eb9942d32a47d0c9bccdf5c9d71d34f02caf92f2739c50d4d5f3146670e337523022f2ab0582bb44e11e9c9edaea0fa85c1dedd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
4cc5722c4b4b514de55b29f4d0bad3b1

SHA1
e7b8febb5f81ca81a32a5d8b808978717e462124

SHA256
8c60c122b234fc58618aae7353d17ddfeb57cee17981da95e5582d5fe3dfcfb3

SHA512
da844115f836e34bb03694f854daf8cea9165df0dd1d276c486b4c15a3eb4fbf1e403d8403cebc4c7997850dcb00866902e4f2720b2cde0eae7db0e1539e3816

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7602a7b0b4fa29a2f9e29d4bb35c16c6

SHA1
a23f9d24db79737c8833f16a92871396f4e2bc0a

SHA256
835cce3bc1ace7ea4e077aeb40915fedbe1385875d42e374b9c9a8f9ad92c4f7

SHA512
d8e250d2bf9061112069e592693d63c322263d3a12373611fa91e5bcc7a8c24991b4f94871d64ff6f82ccf6a6011dca677c87fd1d4cc223e6a27a5bf5c9dbbe2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
556fec5107f2b2b4193876ebaf5ebe46

SHA1
096f12023d335cbcfde98987fa1095888d8bcea5

SHA256
30e784ad5196e0f1b1a7f39f520eb925e40236fba9c6427e88e7451ebff4b7f7

SHA512
75902e54382c501d5070a6877f26eb8ce3ea276f5a05c54b5da3800338c836a2633d8483cd0d977c835433ce227fe898c958bc90491ed9d7bb90443226cb5b99

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6e3c8b5b7ecd4d1a070f5e23db4750b8

SHA1
e1a79f6294d06e2a42c3e86831d750b7503653b7

SHA256
ac9fc1434f7e73f54cb72888cc64c5eb933c1915db541a148293c1e621bf21d9

SHA512
efab4d5919731473232ad4157a144078afcf675b3271f828c5bf077acd26c47ddd3f12dd4124ae616620065f9c2bcc057d20eb5de64976c9b7e004bb2e407573

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a5d8a4f0e9255df5cde6009ac352902d

SHA1
ec8165b1b80f684b49175e44a78f7e8a9d5227ba

SHA256
67eac945794320b55dab7b792e2730f86d787856c924f20420b662e6af47d40f

SHA512
36f751929e42a334fc4bb76fa7f259fea55e74713d6fba144b1b3d2951c834b7673afc12cd0dae5ef36caf4fef5bac8f74d819fc77ee1126bed5626b33f79f73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
9011b48a9b9e340a0418a08868210c87

SHA1
a88f0f09060b3aad7d3710fc55c545e9f70cf89f

SHA256
e3a2db16a90b548048708082cc27000418cc27e7bd73cf1da4b960eba900c659

SHA512
0a3167db8c81e70014c142a4a92cd41b3c65c7d6e9c4f4449390c1bc11901fd09e7604d98137afed455fa8672baae27eb11ffe118a80841b3696b94dc9424b57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.6MB

MD5
07eebe92f16a2cd0fedf72fac5ab012d

SHA1
09e9e5b2047e5aa920044c2a282071051828db3c

SHA256
640df381f2b4cdf7017997c44c54c6c847d850723511b88320b398cf14898835

SHA512
2eb0f00282dd6b305f631838ec109c7c5eabb5a34367d1821d80cca29958ab3fde1a97b551f8097fffcc7e304673429c7e9deee0dcdb5770e6fc13886985525b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
736303b0e4ad617cc733b92bb736e28c

SHA1
5bebecda8d149e6ac6fd918c4e7860ee85f9a22b

SHA256
87e196fd72fa696b2b1fbb09d48d363293a3ff5d06d4fb808bcdaded89d388a4

SHA512
22175afb7c0dc16a34411ffec30b74c99612cb9facd9e1244f4499f11b1f9dc6f4c5d375a46e7f61b531fec05eab34d6e25d92926dcc9e73586f20713fc1e825

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
ccfe572651e27f16833d756c5e4d947f

SHA1
1ba48dff5f4f76fdb5dc3101818874095908992a

SHA256
7b4c6a6dec9796f95ef7f6d42d2b6255fc2f084ca7a2ef35a19fd3916d7a71ed

SHA512
2a0d28bb2edaeb644c0822491dc4126900e7d75340a9b9116759ba347d159912999932df73a29f05a1703d913809903ff7737d20994e25e617beafc985e4e675

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
c560841b60c91ca82562e90a4f7abe7c

SHA1
f1821c3f5679e7270a4c33012bfb792d481e6795

SHA256
dbed3373a804d6590857b0e115761735a5c1736611d045a0b341ae9a250133b2

SHA512
c56768d0a4ea19add8149fb64b63c391c4379fbe1278aabc8a69dd35ee4b1a53c8f1bdb0e486409d2c6ee6411a4e7a938c65fa462d9c22fac9252919485974d1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3bc18d53653da1070ca05313447b8c81

SHA1
db111a2bd1d7b560e89505969347d0686ef83863

SHA256
abb185788c46c61053df4359121c40b0fe53a1b03c8eb22d4d7a23b38174805e

SHA512
cb4c2f353ecfe4bbf5154ca17ca3fd6c3a18de9ff7e3c07581217a5a4c5a0cc8f23f8c6b7c5c8c69bbb1c54fb686a01188de52f85e22e6ed2ae632c005c3afa6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
320KB

MD5
e08c993f999d9933afeb83c0b1b43b3b

SHA1
e53afeacca947b45f182574b7c5ad946841dfce1

SHA256
74ee5a0b6ae82beb83137bcea13e5c287fd7ca272f5f33c5b5fe7f7796ef31c5

SHA512
bfae5a92ac8c0cc0cf85acd653016ccb5a09053b3fda15ebafd77a6fec89a1ff41d28ad84d3d8ec3a6e04a7ae65b3f16dfe242930559cf1e5ab8e516f4c4babb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3b39907d40eb507bc1199c507853f3ef

SHA1
d7c1107bffa913c4addf54cea86fd6dae9ad61de

SHA256
5d01b2f49fc0fddf909d633f2afddac4a2c250c2da5c9795581157fe6e162ce7

SHA512
641dbc029900ac0a2a3695aa3cd7f20e7331c36ad357d67e1d08619250736a315506f5127a44f0a5e10a5faf1f73572606796725634e603d896d1057525da0be

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.2MB

MD5
fe9962c997e1f989ffd26d07779d4def

SHA1
c325a8dc1448b49483b9cc4514c56d0bd6bddf87

SHA256
536597d474ed9643619bb9c6c374b52534c719ebe899f37ceeea9cde4a693655

SHA512
89f88de73669fb0e59821d949ff348eb447a4fcbacec26e63795dcb0366ad0538fc6aee19e9b1cfa90d9c8c4d56616383380a0349eb1367f38659fe585b0be6f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
44352b62dc2dd4035d963dcc3eff387d

SHA1
a54402364520abc938c4a743ea79880539efc50c

SHA256
cb1d6092af672ab5089743b3d138fceec2a0e6844bcdb030c103fa43e8bdf5dd

SHA512
c4a6d653aada323e4d916a68c2313dee6db31d43962a4f3039c96ba26d83b6b15dea04df82ba8cde7d30ad341a830200e0797d7cedfc232f470610766b12725b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e8f75828b5f4c0dd10eaed7f7e281310

SHA1
9a95f28459f40028318e365758f7c762f1d5a20b

SHA256
fb3c110b4ac6e36b40203db4e48413143ef0668895e62a95e12d56a242ceec47

SHA512
c2f0e8bf6be0b4d5f880e3bdce14fe58a6352c8c81c48956fb4009b58b3084e6d3fb46caa133d4629c5494867b82a0d5bac1eb85f553b02363a647a17e482cbe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
63b8a99ce7c075c8cea06a1d5bbbcf67

SHA1
d3fbdae4554389b71c274256ee1f6234245ed104

SHA256
70046554d048be7f14ebb849ea3878e38569a4e20505f358a48a786dbef86923

SHA512
0dd1c3a382cec774a1b0df589f214193c7cc85ae91b4c445f9109dc14580675e692195cc9df7da157fdacf64daede7aa6c54f96ac853e6983457ce7a51bd15dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.1MB

MD5
b4438dcafe3ac0f330a6b7f57f404ba1

SHA1
9e457cb369e1489f37f5a77e6e8c0dd89f4472ea

SHA256
2cdb14558f3ef300f0d041460d7c1274b8ab2184b1551ea9c5b607c94c229e53

SHA512
7a9427e9e57c51aaea5ef69764deb2c2bce711e53c88d3a31e3dbe304868e641276c8ee1165edcb91f15a1b1806e6e82ca859a7d9b73d08b73d8a74c26a0cc87

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e4ed6331-e119-4534-a372-19a609d77713.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2f08354789c141beef8b622945bea412

SHA1
6744847b3d635cab79d354b89cb37cc115921963

SHA256
2973ee40f0e02e0afcb3b278eaa78db4b168771e51f50b383fd9d41fe5ed7d88

SHA512
752cb6ec68ef0f22c70b07b174e6128ff24197c002bda596849d24a6f5ceea5310a5a54bcad36c7a855f34f41c7c57dc3b37c2003fc21383140a46efd2fedc33

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
f87b2008f524b449826ba26db81ef93c

SHA1
3ccaae631e46584d4ae709947e59563a4d522421

SHA256
92d6b326df0b0ff1a5d90c0e0c74f06636f1c863966819292d272ddc6d4204b8

SHA512
7343f9b796a18cde72acb783b2fc0df4328edc7159d01535644de4a32a1f94b877aec89c9c4e358f598762be0d28f99f4fd18f09fe0e48b0b4cee15fbde80dc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
56ab48b0e6f463186a25731d396d9ca7

SHA1
218ba5be93721e57df50fc086925b4bcfcfd2f7c

SHA256
e5525f667fe103e14d8ad397c3343d6a61ca1290183289c4805bef0874632782

SHA512
d87b97d70c7c9a4b77c05d9c3a047b4083c929f89b12fd44aaf870b151d9485f3e80ce519de85f4ba84616641d97f3b4f4a22eaddb2837acefa84c989fd506da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e2645a2116b2cf263b48b8071e03c0af

SHA1
abe83f32531866c6c2bb9666da2690369275391d

SHA256
196435cebc4e948f19da02ecbcb6877acbec0a0c1bd74b9b86c48d0d5d9a7620

SHA512
1c715ca1d31585db76e54b2cc0e23e20eb4d8f6e94e26988148cf4e1177f4bd918d3e1f64b26fc61941e906737ab13fa9fcc9c55b0902c5549025bf5b6a1abd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7a8a4bfe98d13d64998d010ea109bf4c

SHA1
88315ab6198f338c21244f195e69e43c3734b470

SHA256
b1d19bdf82f7804520239d2ae3ade3c7f3774aafc0831630881b5d537014899a

SHA512
a188f133442c09c1323eb1ac166faf12035e03667c943179b9659174ba0026e5b7bc833bd042a9988af6733e0550b875e67f3deca5c1f411da4d666a4a5adab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
29526abcaf08b2190d389ecea4069d1a

SHA1
fcbbd4fe01eb33f9fdd9b68f9cd7d275cc616515

SHA256
7db81411f7b1555e5eb95ea12e69a60662c3d1e0ca8c2329669e3f7eb247ccb9

SHA512
bdbd709c8747b8a6fa09ab3025d8316c81024ae68c1f4689b18a07366f264a2c1b995044f6a5845c480dc8c7a17776bded51848ed693f8155a1041a77ec8042f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
93bc235defe8e1ee5f52236b542bd8f1

SHA1
5326eddf394a8d5fe54c39dae770f2131bb89180

SHA256
a140563b61aee854c4db05e01ee1b100414a186edabe686d30a9f58d68791cf3

SHA512
d5faa8a8b9284f8fe6d30b4d1869df27d69010a4bb8cc38ea9b5bb1b3d4bbcfb4317b6d5289750d815c0439c5568a6df4cb7e7a45a2ed0b4e967df2b23667460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
53ea2884dd2e9c3b553f26e4b95556c5

SHA1
dd7524675379119c5e20c52f23927e28c8913cfb

SHA256
43e2a65aef2ce9f60ec555e5e5d23e93f25dcf4c216e689376290361b37b23d4

SHA512
f48c5f654b27e991fee3051c188447a1068b881d3574435a51acb38cee9324419cc068d70aac0b141e640d082a9571a009e730001d6a458f960b804ff5173786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
48c8cff2ab05d29f9b40119147745b08

SHA1
757bbbf9ef2620ed249b9d04777b401375ae2cbd

SHA256
84a58ae8658fd867975930b6508387091ef59d9c06e3483a0659475591a5f468

SHA512
8728e0a38e9396837bcaecefa0efcadd042e0b5fd258df45e7abf500cc4d8a961ca434a5b7619bf5a327831aaad7560001c3c91412c2d5e67fae01eaf8afc336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5a3aa396d1b237ae36b11a0608b7d6d6

SHA1
d7094a5fad9fc80f8dd2d6f94b86ccf9fb9185df

SHA256
0e7b900fc4fee78c499d90ca38b6bd3edc03aa4064bbabadc53dd956420e5195

SHA512
969585e80a9aaa90c3aec0d07af23c667a231ff4d34fc28e0ad16ac53e63cd0d073fdb4c2dc4122b44e2be892f035113acd38c09990d5b88a6be0862b0af9193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a47d.TMP

Filesize
2KB

MD5
7f86062f3b5f051c4ce0dc7faa37d65c

SHA1
032ea18eb7befb1a9870aa802d33aaf8450989bd

SHA256
3793c4e505a1b2522034fc03ccbad660e13253e0e400ca82466454a197692dba

SHA512
e97ba9a06ec47582e2cf2d450fa2c301b1e63d87e280af79597c01912213c31bc3b0f65026e6b4e311f661de78a08d7b2ced5f310150fb8ee04d625a4e306785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
45862a44e9254e0df0eec307cbb90abf

SHA1
3e7c79d43754bbee5c059d80aebea17e8a07d424

SHA256
e0ad418575846da6319fa92cab5eac248a8b6c139d6500fcefef5dde8c3e8edf

SHA512
be3e28b8f89ce64fff1933d3f23b6eb730f3595686294054e1e417027b2b2b4cf00e67bab9cb2ed7ef52c2549768aa5fc64ea5faffaea4d407b29be695f5ba05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
f9a8bcc0f61431dcadbceb05c8db3b23

SHA1
599a1bd92be83bfab1b02135ec7323c993c1686e

SHA256
638d8601dd80da7ea0e3247dbd7c2822fd29b6dbbb05c54bd0110a143d070963

SHA512
0011132649cdb98380347b3fa44de9b6eb0645946d02f054e9355e1c33280129c8b0b45db36afe1a516de89b9c626d7b25f9963e626ec84d7a840fa4a2259eca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
25b98c955f47bf13b632bce131f2b378

SHA1
745f309fb42700feb82b7557c1d64df22c2c62b2

SHA256
257b08ac6a2d1b63b35b0efd094a1c29ccbfebb986b9114a38372dbb40e09471

SHA512
a58f20726e9ed657733646cbd920d634901531f59dc159b89eda9eb427e82139ed600887c7e802887e5c2ccaca8ba24567e6574ab6e7565fdc599cb841698fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
956eb4c1c74e7014d46bc13bd42aee58

SHA1
005fde190b7c794c56827653527b0c9b267a1e46

SHA256
b70b940b717c89c7907e500f4269564b17d894e329f5a80fc18c75d50b2669a8

SHA512
9158d52142e0fcb8887e4be38d9b3110cfe58c0c38c3e1b6974e420df15157a614501f663cb2cd26d0e25ee83b1fb43259519b8a3140bb38da54c28d35dcc7f0

Download Submit
C:\Users\Admin\AppData\Roaming\3f43abc920d6ff11.bin

Filesize
12KB

MD5
ad349a3fb29f298e2c86793eef9d2d00

SHA1
8f38dad82e1626457dfdc5512fca3adbbb7b9cae

SHA256
53f0b353e87efc514ab530f8f7f42e367c757b832bbb88207dfe677306b4c8e6

SHA512
650d9516d86111fec70dbd51ad754b3a123eff8ec582c4d0000cf1d4447bdee5896a0cdcee3f46aa0b1c90f9edc86aad7fcb161b66605f61327ff718e7c4b954

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
8890d1bd6e132196afcb125d7b21d544

SHA1
69a80924eeef570f963d9f8ec6680b3adb9fcde8

SHA256
140e70e30ae71ec3a78a4347133a047908faae0a98771d58be56a28af60decef

SHA512
fb8ce561c116cc9fa76be4402988a0b300a9310b783c6f7154a885efc2b8428d0f3f6c45a7e698debd40bc30914a80de2aaeb9bc91724249a77543f2e685c274

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6ecc405beaa659dc41153bbed4899c98

SHA1
66795ddae7fce2a62961ee19593059c4d53e9f99

SHA256
96524de4bf73e1865c6d8eb6f197a997c489c8a9035858b8a8f28c231f48fda7

SHA512
d32fb03dd92ce2fb2cd888013ac8c02e164c88e7fb64ad8e2c26da56631fbe98bfa60bd9bb2898d4c7d3fc23bae4aba5ea48868fda784f8967cd6efeca1a90c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ccb1e57b7228c46bb4945d2a9a9d1423

SHA1
9de21b56c5c843db6d48e06dc44b40e72c79dc5b

SHA256
fe4b7b3deb903fce0854938754fb1b839530995546d1e65df682eb29d38ab049

SHA512
cea981d00a1d706708dec37b3070857d183b7d894e2c77d9433b6ea9855548be23d0a3c25d5258cb98d32d441e0621346365d404ee5ea4ee1f032b38fedf654d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
670161b43266a0f556ee1fc0a9e22e3d

SHA1
2fc5aff96d13022cfc14c338cb633e40b533ca77

SHA256
af082cafc9dc9550d2e56b9b04412007e048e80425c5c99912c58b1016370bff

SHA512
40ad3a410fb41af0c04e6147d212b073fe9336ce8b972f20724c40c3dc55d507b478f1c258e2f1a4bbc2eade20fce3b2eee3a07ffd93d4e28372c109b9f9e0f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d425b35fcc626aa5d543a936d8de4598

SHA1
7db4ab3334fadba85a1c681f15ac1b465b55133c

SHA256
de1af632faa21031877ebd70b0054976c6c1f66339a8ee242769e244fd334099

SHA512
13f70a867a33822899ac882c2895e2000d2ac11ea4dc8ae71e73b27945f1e083fe38cc951b28d8f77d3fe743ec1e2decc3010190c5e3672d27d1134313252cfe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
974KB

MD5
554a616c4dd5e503b7a2424432add7e7

SHA1
ac0ba59527b1351407736d49be169cd5e6ffe2d9

SHA256
46923e5d26862472ed53dcb11389868ce24971a2aa8e9218bfe056fcb6aeaa88

SHA512
60eb0b460f524cf80a63eaf6ae251561e7aa8e10737d514fdd02c13d30ec7202f1913a5e553e70822fab3226351a0751857df6155b62f43bd90e66d0b5ddfc31

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
704KB

MD5
2488fefcac65119bb59f49a9f9af915a

SHA1
75ac19313a633a6a3ad4ba7ec6c0fb9f01e27da2

SHA256
28bf296088cd563ec81119e2c209133297fe99574cd8c84a64f8473378a6db45

SHA512
a4bdbc653e67cd8aabe5ac270f6b5aa2db47f490f55b33992d996b50d153c4f18f2b31e05855640003aa191cfa9b57ef71a93326b312de967aac578a09ad8d84

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
2a6a782fc380b29b2e61b061808ad9f0

SHA1
46c8d7b754a03b1be52628d6afb2888c2ed7ad0e

SHA256
8ab7c69ccf5600f47168a71ffab7d193fcdeda424e497c34094b1cc4e1e4e0c0

SHA512
77e1f0fc95f74abf0ba76957430f846d20eba4a810b3e1913db8127aed4d3b8156b310d85aecfb2249be36fce0c31a59c78b683b32bf8bec0ecfba04af345ad7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3dbc9c17e98c8a5f77e6ef740124ef6c

SHA1
a2b936faafc3697d2abe777d88e2166babe29dca

SHA256
219bd4358ecc5671a4a7bdb9a1c9a03a5768176ab3d62b929ee690d7aa706c0e

SHA512
fbfea8fb48195194ae9dbd5781de4c33be75881cd5f8e01acc3444b2c082f85bcc7284bdbf2e2e1f479488d7da55f7b0b9a54e2075884eb4d121322a85dd1c78

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
384KB

MD5
37817819806ef264c30c4abb2075e511

SHA1
2b927fa914f6c02977fb373a84fab4fef1d753bd

SHA256
4341fc2517ee4cf4cbf8377e00c455836da76a92e3208d9ed7ef3bf0415433e4

SHA512
1ad2d32752b191669e195a07d8e218a6ecfca676ea22af43e2d752291bda7cb52112bbdb025c64a442917b03646f6e01014ffdfe28618fa64b5876ce5dd20fbe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
256KB

MD5
08f9afb71626ccec476fa57142a241a9

SHA1
3eb90ccbd2b15f550f02858505e9fc916fe73967

SHA256
a10d28628357aa5d1ec0786ffdd2fd1a910e4c8321b3a1fd171e37277e6b47cc

SHA512
bd3fd2313af152d398b026d41d976e77c736e98bbfd5e53e70c8ff41639dd20319ccaaca5b51d61f7eec18f79b1702dcd8fc1a705ed921e3b9db0660461e898b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
deab5bd90292e3e55256624097e9e097

SHA1
5f8b6c59fa31cdeca38ba172f1e68ba509de8db4

SHA256
37b797df504b1ed49862a11b652080c70bf6ebbbef4bdaeb8a9ce9fea88a64b5

SHA512
f490f055ae6fbb79a14aef5abececfda72132390319331bc473ea0f5c8ddfe20335a6b6f5ba4cf4c5e0eaebccdc28984f484127811d42134bc277965b9ed98e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
900285d3308bc88fe60e9fa23bdff3ac

SHA1
fd8318e31a7a21d03c62476cf26825d6c83ee3a0

SHA256
e13f8d1c66469d84ceed376be91d2869676ff2130582247d412036a1fcbd5b0e

SHA512
b50c9c80dfe4c348d0e33dc6b6e449a118c227b25fbac90b48536787bc6bdbf0f3377346953f4a1623b16ecd9d5cc38d18f6182c6e9b9b3a6dfbf76e9cc721f1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f4d01e27c693a496f8f15be21f573422

SHA1
1d85ec6f355a7f2f996bc0f856b2fbfd196a2850

SHA256
b79293d622d353ea4fe37cb057b1035860645cba9c6c3fd3d5c7ec3d5201718c

SHA512
6a7ce74d57a0c7d4d044d6fcc4a26b5445f97eb7be338ae00c1945adb9684b82588ccc789bfdc3101894ab997218cdc886085b8aed15c95d1e2680b1fd45d85f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
32d7e2e905950f9f47a1c671a0813747

SHA1
1ac9a8044e4e8e6eda7eb959b7dec61d62cfc479

SHA256
9bdf92423a73a18128295710413bf753af438216d8744b9da9ca9b9be2cbae29

SHA512
4e3646a531c0819ee8370230bdf81fb7c76c3027f47d84c54d50135502ea1257f76ee6e3354cd6ed2eb2b3d58601eb6720e87280bcc9222a178722c5ece2de59

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
81af03ba36b1bc5c0258bf2854f7845d

SHA1
25244b849f2ab64cd63e9ef3d52a75717d824a17

SHA256
dddc3b6a929914336021d3417b005e1a3ddf25930ff308b2a0e562718e60bded

SHA512
12a044968ceb9d28141e27c4527c4b67f8347191a71ad72d6cc6aba3d35e8180fea15f8089e8fc3571cf1171536071b19f447c431a86d297fdc9e794b96231b6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
34d701860027b3c754930b643e2f01a2

SHA1
1923587e8afcb3fc497561f3cd9d975633f3714d

SHA256
fa221893cb03a3621c0e3aa64dd6aded2259576c72e76f6006321ab0214caefb

SHA512
e4f2b2fa4ff24bdadc661f23c3994493fbfff494e965b4b0c09a4726d1ecba3a7d1546fe5c22d258f945d04742ce02facc8833cbcc2f10417d1141877fc007a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.2MB

MD5
1ad73b280589ae7845a062ebb1d6244d

SHA1
06cb8b8f77d358dab326210695a057f7a8550b0c

SHA256
94f0b0155d7586382d7622c18b7eb1cf305abd1bcc0f211d1bfb68ecb0a9ea44

SHA512
f120926661dc0a5f5c92a78a7c23b7964381ab649e0110a62d4ae32847c2db033d1b306eaabc93514faa23ccc797f8e499288fc6a47aec657a755c55d61104d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
07c2008fa2c5b461d9b1a486c071c6c9

SHA1
19992db28a67bb9e423c5723ec15258833dfb0b2

SHA256
693662a6d9300de60ff5e1a0f7b042bd9c26f3f0c4fa11679bff069d62f0ed64

SHA512
42b09c31eb0020efcf26437cca4979c4d30dad1d43873db937d0051c744ddb96327b11f97db18adf2f987cdf3f68ecaa7aebcd1cc05bda5d54bd703476252aa9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
384KB

MD5
9115f297ea1b60313a8c17775fd4760f

SHA1
23a1f73ab605eb88d7abf07be5e894a76e059f31

SHA256
04b6e8e1416f06962ebc3e85d235fd1d9515269622850d20a90246b0f25368ea

SHA512
e2f585c919c98982dc08585d9677ca53f4eaf3a1387d3f3af5880ff8c0ba3d85b152f47470a0340f6e2017bb00378b60da63104e0c52c3b8b48c4d898ca32f02

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
d41b8687031e3a2995334937fb7ca9ea

SHA1
8b39afd291618f38a9ad28d67e8c0c15e9e9ba41

SHA256
7a1c862fc0525d96a5e237ed5d69e43f0a1d5f5ce37a2370accfb673a073148e

SHA512
7e6e62a20f7c2fe2591c0f21a82ba696d1dd543efbe38a729cff45ab2aece388d6c71316ca1e716349ca758b7bb4afe4c4ebeef7ebf3946848b413e3b834c377

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c8ecd0b64ca04d61e7f9d8a0a2c2bc9e

SHA1
932c148392c88916157a8d1e44c37285ebfb7759

SHA256
a00362679cb8c6534a9bfafb3e45ecd519987f3067ab658517ccc781c3590dcf

SHA512
8d1b5f07bb96a4cf05f487aeb33ef5ec8096cb49c47ae883ce3b5f0146778d0934f1c6bdcb1b762034b2d50bc39d43583833337c51526e570655977609b951d7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
211KB

MD5
2c60021f397e7cd69ae3c5626e79c68b

SHA1
89acce574525fde1eff6ab9121665e57bd4164ea

SHA256
bf190d68a256cf6068353c6eb5dd78e3f95d652ea87062a958e30ed584b87165

SHA512
09d32a067c394ce8afcdd414a6bf53d38aa86e197dffa656100309dce79522c41d802d009c507fd6670013c455daf5e90de00dc441d7239a95a9af8ec8972df0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
256KB

MD5
3108891d29afa00d5b8246e1674a5760

SHA1
5410102ccae0bdb6f3d3062ab04e57132b047847

SHA256
9bf73c06656089d5683df84fc916b26dc8826c9a88188834ffb5649e51db94be

SHA512
a8244c37e11ea3cd01f500229223620d61c14a6f1f38249fed6277999d34d94580ede753bb643af7f824961e3336f49f70ba60d36fddee3615757a0eb5b1b849

Download Submit
C:\odt\office2016setup.exe

Filesize
4.2MB

MD5
edff11236762db68e080c9980fd23686

SHA1
7766466811303d98627e92d57aed282926c9a15b

SHA256
2ac5ac99112b6ab494d3c6e0c3bda2e052eb905f8051f84cec89ee210cb88a2f

SHA512
4c0757268c7fde8de10777276b1f614f8b4e13005746d40d73fd9305de7757d7931c55757cf611003fa05ae5d68bafcd5c5b5a01092b31e20097ae9c1056cccb

Download Submit
memory/624-150-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/624-156-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/624-245-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/624-240-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1092-74-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1092-67-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1092-60-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1092-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1092-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1284-119-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1284-132-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1284-118-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1284-127-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1284-133-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1488-355-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1488-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1720-103-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1720-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1720-21-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1720-35-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3196-102-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3196-24-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3196-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3196-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3244-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-309-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3244-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-302-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3608-105-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3608-71-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3608-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3608-82-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3608-81-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3608-72-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3932-54-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3932-46-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3932-47-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3932-135-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4364-101-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4364-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4364-114-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4364-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4652-177-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4652-272-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4780-181-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4780-281-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4780-197-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4896-165-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4896-171-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4896-254-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4896-262-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4976-144-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4976-136-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4976-216-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/5000-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5000-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5000-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5000-8-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5000-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5232-218-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5232-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5232-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-331-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5384-314-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5540-312-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/5540-233-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/5540-242-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5632-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5632-342-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5640-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5640-255-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5640-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5804-264-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5804-273-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5804-347-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5940-284-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5940-291-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download