1d23429c1fdac67a710f94a6b48fccf065498655b77a85c21f9a77223ea33f6f

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 05:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
Size

5.5MB
MD5

6909e9386a890eab1b58e7b9dc5339a1
SHA1

750b015bfe5fc514ec6c8a9fa3d1fbdd17a48638
SHA256

1d23429c1fdac67a710f94a6b48fccf065498655b77a85c21f9a77223ea33f6f
SHA512

4c09e134c0c554b5acd1d95b658c76cde1b3cbb8ce19c32040c5d8a006868d70371831c2c2ec8f9950ae9b1b61646034ad3e5f171b472efb8f8da352b41726d0
SSDEEP

49152:REFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfo:VAI5pAdVJn9tbnR1VgBVmOd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4308	alg.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
2940	fxssvc.exe
4224	elevation_service.exe
4772	elevation_service.exe
684	maintenanceservice.exe
2372	msdtc.exe
4280	OSE.EXE
4800	PerceptionSimulationService.exe
3528	perfhost.exe
3416	locator.exe
752	SensorDataService.exe
5168	snmptrap.exe
5220	spectrum.exe
5484	ssh-agent.exe
5708	TieringEngineService.exe
5788	AgentService.exe
5840	vds.exe
5904	vssvc.exe
5980	wbengine.exe
6084	WmiApSrv.exe
5040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1fc6e92f990ca9c2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaw.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc97b5d23f7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce0952cc3f7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd1430d23f7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559050812246628"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f011dd23f7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007335fccb3f7fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034ba38d33f7fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
3064	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
1680	DiagnosticsHub.StandardCollector.Service.exe
5612	chrome.exe
5612	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2524	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
Token: SeAuditPrivilege	2940	fxssvc.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeRestorePrivilege	5708	TieringEngineService.exe
Token: SeManageVolumePrivilege	5708	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5788	AgentService.exe
Token: SeBackupPrivilege	5904	vssvc.exe
Token: SeRestorePrivilege	5904	vssvc.exe
Token: SeAuditPrivilege	5904	vssvc.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeBackupPrivilege	5980	wbengine.exe
Token: SeRestorePrivilege	5980	wbengine.exe
Token: SeSecurityPrivilege	5980	wbengine.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: 33	5040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3064	2524	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe	87
PID 2524 wrote to memory of 3064	2524	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe	87
PID 2524 wrote to memory of 3656	2524	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe	89
PID 2524 wrote to memory of 3656	2524	2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe	89
PID 3656 wrote to memory of 1244	3656	chrome.exe	90
PID 3656 wrote to memory of 1244	3656	chrome.exe	90
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 776	3656	chrome.exe	97
PID 3656 wrote to memory of 2028	3656	chrome.exe	98
PID 3656 wrote to memory of 2028	3656	chrome.exe	98
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99
PID 3656 wrote to memory of 4872	3656	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-03-26_6909e9386a890eab1b58e7b9dc5339a1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc66f9758,0x7fffc66f9768,0x7fffc66f9778
    3⤵
    PID:1244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:2
    3⤵
    PID:776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:8
    3⤵
    PID:2028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:8
    3⤵
    PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:8
    3⤵
    PID:5636
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:6128
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff647f57688,0x7ff647f57698,0x7ff647f576a8
      4⤵
      PID:5564
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5948
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff647f57688,0x7ff647f57698,0x7ff647f576a8
        5⤵
        
        PID:5808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:8
    3⤵
    PID:5412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4964 --field-trial-handle=1884,i,15033029029737650115,12915854612730943232,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:492

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:752

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5168

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0f6ab324095c4d091821ec96ffacccf

SHA1
73437fece7e29a0677c426086fe1aab82dbbd911

SHA256
fe9040ca19865b7153ccd9071d32ef940149df66dd6c88f578f43ac53408dafd

SHA512
ea8dbf961449f81980745eb869ffebd59681395c03dc7b9e07394a51eb40def3d38bb20761b9ae9864ae3acae3302f344eaf1a2144b8e5420698237cdd0f3984

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
6d7699d9804c348146bffd488aa4d6c0

SHA1
80a3e605d5ab5f1ef58c74b7622e0b094aa1ac22

SHA256
5790d1559bb7512f1afd1dea1b261fd79bddd3ac61aa08cca98714399055133a

SHA512
7f248b7fa4064d242f5d99ee3871506e733f98f8b292d2c149797cd49ae45672d7a9ceca1dbfe39ac62250b5d531fb1b6790ec73ecdf58d66f012681f175f807

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
878dd739dc304cf06fbd895b6a22626d

SHA1
46dea26db9a7eb313d9bdae5c263a7a6b55aa066

SHA256
8ca7ca06768f4bfde8d11215aa72b63bbf27020152d7cd75bafa056066e6115f

SHA512
439d8d539705670221b7abeddb4bef4aa128faa2315c0a1d53beba0acc3638b3921fd64a6020b4965d96aba2b3bedac96f0eac9d286a908a8cb5dba58bc7cd70

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
05d86cb90d69cca2e74d657fe468143a

SHA1
e149532de1bbe28deae3390bbf1b24e178b52701

SHA256
4700e838cb35d34dbd72f15b4c6b0941c77e2731374b66abf74e6efac8b0d843

SHA512
c9912a42f594e4a539c322cf63190f532e8579977e1d81f40ff88d602efbd5055d7d1a81ef68d6fc4c933c60ff80b71d8ca6a7cb6b0cb591fe67b18d9d3c71a5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4997186b1508033982f4ab8699914764

SHA1
1fa37f62d87245d3533331da7a430b9435f56645

SHA256
2c5533f73b0755dfb9702d871a7d467c19ebe8d8fac5e7aa98f3dc80a6e55a08

SHA512
c498cc6c9147345dbbf938849ef5121e2d98a70dce990186e11767bb7b93a1eafa6b812c7e5761d44559dbc7fba58fb510c51b6f4c01f1c946683d199c96090e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
3d11b2178858c2e7d8234edd425855a9

SHA1
bff1621c8138a7de2415be682a1120483cf02c52

SHA256
2db85add8d2ce79aecb553c7ebcd74d18d85b93f22160f3ddd692b3e7d5741e6

SHA512
27d5cb568c7d41c247afde5b4ae508c8e6081ed225a0f849b03d3a59c86978d22b9cf689a3071b2cee34642c67aa8e702234a6e2eb21fabe025a000484ca91e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3d6f9f2e834c5845cda8e6e639a3b41e

SHA1
0c1f1eecba3d6bb174da3abe044c9a4ff45dd8cf

SHA256
3ea5bf1bbd583b74190eb4e747488541fb9278efe62460b33dbf080e05c6510d

SHA512
9e989560abf01a8b251c7a6a416ecfd805880287aa67bac3600bd29397d5ef23e1b8bc5ca188501d360b2fddd3f6cfb425b64acf72f1a0bd7f034b7f6a0bfcff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.9MB

MD5
28a428269c9f7e187e74a6c5a5d68423

SHA1
d2cc2c62ce98b6e6d8a2f3b14aafbfe8c695c5a3

SHA256
d8b28e1cf60fcd4c993962020f6a204c8c1aedf9a1fc62c2047251ae246ac8c4

SHA512
dc3847e6f57243b9a287de48dbde307e6d49f3543ac69350b82b1b2c1eea52a2ec5c8344e91d141ce5bc5e1a6ad45d9d0e77ee50cf9f27d49e4962caea7822e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
f3a552a88e0dc87675a75b68e5cec666

SHA1
50fb6d4db9911bcd88881370a7564696f469e304

SHA256
3a28bcc033bae3b8a86c82f7d2acf26564aa66cc82574bd51925de19e8a3f7f2

SHA512
bdaa2a254a4a0df2bb4fd2512dd4cb3ac215f4f4e8e1533d3df80b11dfbfab2c8ad11d2c71cff4f166d831c8ef9030ba92066108b512e624ed6b8d4a3c18380d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.7MB

MD5
9f7afad99cc3cf639eb9c80b1f21e7de

SHA1
d1110462d46deef85225aeeea7b4db1051194304

SHA256
aef180552fdb07f85b01e4683727851381023f4bd90f310d9cb16823c1ec97c6

SHA512
3fc5cefb74ca24eeb5cb94ffb92f146c8a15dd394e91bad96807081853833e6b412b8ce7934eaddc1f66a175d0ad48157dc1060dbe829268829ff534bb1b8950

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.1MB

MD5
2ce6ca6412eef0efb952b602672fae64

SHA1
522a4dc66ad81f5f6c0a44a08cd30bd00d81bc88

SHA256
75f0a41c1d27c3ea3d290ed2bada88ecab08126e236223b03108490c5ca78a1e

SHA512
8cb9fe6463ef54b703d1f277c42e55ae771acf81422b56f463d87ebe8d71307fb92276d81461543e7d11d24e116414217736a0cc430dbcf1d3888850ef81f1f3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7e45173e1a609f4a3a1f9c6fd57bb5e9

SHA1
4d358cc1532d10d25947b3dca8e0f55f46344e98

SHA256
365f51f7e65a2b9fc7755bd5d11a230b890ce2f82a75f0fd534f9e2c2532a6ca

SHA512
f8e899eece2e60b919970e448e78fde649ac647707a480caa2d4d9c7f164b2537b244db20ba74d3f387bdfd7a4681af69c80a76f587d89249b5d2527e5d6d4fb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
896KB

MD5
7d88709c5f6c39e37bc4f28d3aea77b4

SHA1
e042458302f1fa2e54d33f89868fa32bd8d2f43e

SHA256
6dd758f2e1142c5ac95cd620acb8380532a7a595a8c5a6b6062ff679a6267a19

SHA512
5512cc4a68b70542f1e760665ade21e18350bb633da9b092f3860b06afa9068d3b318da039ce3bf2fc389c02fc95a79d1272268ffd2558e0c3b95f3f7fc8ccd9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
8f6f30214093183cc99e063085e891e0

SHA1
2f7cf626983df34e25c596aa37a8a45d5ed1810c

SHA256
4211f850c8cef8261a9f51945d0804bd51277f6e10ef92e6428184d7bca97efd

SHA512
3810520b0bc23c8ccec383aa7ba23354346d7e6569f423b606ec15835f64c3253d77d85aaf9cd33ae8a2a3e0f258ddb2acdf617a5d466e22f3ea486114430b61

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.4MB

MD5
d956ed92664a56a846de54d67746be6c

SHA1
9d4fb17c6368aeb37861d16b88400606522af029

SHA256
ffd959efeb56b0f1ee261deaf8059414429fa14516cd11825d19eefa9758ca5a

SHA512
6f53316c90372f57249c8ae297cc2dfe915aafa12811eb0089776713dfd34a91e0c836210729ab3d509c1affcde7b6f95fea4b1da98a7a2f059137dc5253eeae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.4MB

MD5
c11c5cf52c0faff5ef67eb338b0592e1

SHA1
e921f966446523bd56a7d4d8b9bbe3bd0d93e445

SHA256
76f96b223a9dc5baa72b39f1662cf3129dc79b4fe5f477535b877133e33a0197

SHA512
024331f71c0cd928cc40048f6a9eefeb98f67515366d19bba47768eb02227f4be36ee0da938890db6c3ffbeb0e3b84003e27825ad5a39905c613ea373ef1fa3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
192KB

MD5
2a7dd6e668f90203f4b7e35dae04373e

SHA1
62b2fba931fb454d38fa64bf09a022dd7523444b

SHA256
c9bd160d89b3dcf49af817b230408bb96f333d82bc46e6af09a49c78b3359739

SHA512
22f00605c7966204f7d52651f60242fedbc4fc9e00984035f9596bb72a00cec837b76546f2ca685c484b60bd47a9d463ed7c8d361bec3e7d47739ac4cb1a344b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
33694863804227306bae8fd0e92dec58

SHA1
76108a05d2b85d95beee282751339e7147f9fcef

SHA256
49f563819f67c9346625e46e8d1ea929710b4822e788b086d4541c636dcf55f9

SHA512
5755e971755c7bdaa7714ecf1946fb1c10d791071aa3553b197de9d02dc5881004afae1b54bef012cf9368bef7d54f1f0ac9fd90269cce772f3054dab854b897

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.3MB

MD5
1b6b3c1a1e3ff9ee858d0acc8b0f8203

SHA1
aee95ee1fb85377ae418c8ee47e4b8a604fb1c7f

SHA256
264af76085401b655cd757c4ad9cd00756294ac3414c73e38883b28a132bad17

SHA512
9d6638a1451439e33d876e05e1609a18e27afcfbd3c7498c38accf486330be77f354ffbc5b85d5e737c1d553d9ad07087b4e20984c53a0ad96abeec524598e5f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240326053805.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
640KB

MD5
cb0b5973f6e05c378bc4709bed4f0db5

SHA1
55d55f23631b096acb165592dc7de0b69821c7d4

SHA256
10d6bb669732123a3ff3dd9ca8e50715e7eb1bd03409bf97695fe8fb8ebe5641

SHA512
0dca757473941611ae6ce5b2b4d1f44789a14eff9f78c1d957806c9ca8eda5ff6e92101fd554c94d19c13378a971afb0b2265d4986ec77d431a4ee625678a8b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
b46f7ae1655e0a5c2a784358bc431e35

SHA1
dbdc9df0c892611abca103dd0522882fab336900

SHA256
8e317da736e579d3ebee793c372a72851fa95183ba8cca568d4df8c5589ca2c9

SHA512
4422f62f89605daf62b83055003de1cc190b4f5c96b28983b736574c53acd2bba3166315edc34ffec55a3dd7b12870684288164357c1d92632c1e74ab5399922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b62bed683333c7edb7d5b79c0fbf60a8

SHA1
3b4e051242caf8004a764eacd9c858dc50800a71

SHA256
f432b78c2fc0866a3535b5665f40f99cbc16f7f5281806d9c341ed746b44065a

SHA512
037c581bc43bec68e622d5c82feec9594debc5cc10b6d7e3eb4c5a68a97b2b4533782a14355402d894b0d8fe9c840eb33ef786b7549cec0b30c265f29a9af9b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
306b7fde02a9a300b5f28af3539f45bc

SHA1
d6fa4bd947e277da6b61e007278984f22e1d0de4

SHA256
394018f53f5e661910da26dd55ef98921cea33507b3ba1519d1d8e8d021e260a

SHA512
173467ebb6b2886dfa0e52fdd8acdd34dbc33f618e35234bf4b97a1d0050d04c5bbc2f3681004e97b0843409a238913ce5dd5a408dd5806713d9348cd42d9890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
40de12f5ff691caecb82c86d84183b19

SHA1
ecc52f4459cf4d2c9cafd75e4b623ffbf7094db9

SHA256
1426557c4883543cd1a09533a20c044eb9b29491879d9a53a020ddda8c7bb16c

SHA512
6f7fe8e6387fb3ed5a18eed8a4c309e993980242162851dfb22ef66f28c1533178a851de2dd7e3a60f78e4e6b12ced10cdb3a3c4808bfef976a9bf00e4e86319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4918d4a7c9ece540f116fc98589a654b

SHA1
515a3c5847406038dba0c82902e0cf5438d9b34a

SHA256
2cf9bd308471d52227ad6261a2d477680eb84d427e58c5af97d918706445ae3f

SHA512
91b7d239f4edafe012cd1d5eb420608e00efd0f5ef5adca5a8e174ab51fd52469e11bd6c01e1c6114fec6e0b6eb07ec5b892d08d9a76a26b426fe71d33358fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
372d7dd0130e4402e0868ea74ef905a9

SHA1
46b64e6ae033d0267e248b4a98403b0bb7b874a5

SHA256
507666fb258b7b37ab8c1a534aa100897c74a55b6626fa15e978d9fc325eafa9

SHA512
c76f2c922aa81b6eeed604f93347680c17c9f7bd5d5fcfc0a4469acb6282a0eeb01f1aee4a12d9582c4b607253c02253ee8681cfabf1a96b223adfe7034f00a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
82913a533bed84ed0f88fa05d64e3c8a

SHA1
569ee7b8ea13c8ebba7200ea2c3b353ede520e70

SHA256
b345016c7a68eaaee56cc0f8b8b0622a20f8fa56b44d44b9496178eba46ef351

SHA512
f5ccdb987a7e06abe51a1efc843dac88f55879c077556ed55e447b18a16a16933851fdffd6115205789adc643cb022998ef75ade3b2a32b095034be44169637d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3b84584f3e5498e16c348010ae8ab855

SHA1
39ab2b534dda478aee2e7a838b75086f3955d2a4

SHA256
fde91b7d0eec0e7f7625d1a9977b30d8720856aba372bc12951dbd06387b991a

SHA512
d23d4193af290b2232f1e996efcce7d16dd389718d7d25624c22f08a1c7783ff48d45594f3293c2e5eb91737de8c4f226fd6df83917f24083ca2f9b23f40c71c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5790f5.TMP

Filesize
2KB

MD5
3c9afd3b143ff5816655b62cb76c71c5

SHA1
6486ff43edbf73818d5b897644e7ff2a72068d7c

SHA256
01e17964de0218e3345fd39a4706b3936e12f06af8b22969bf169add36513fc2

SHA512
5a672d116ed4eff2dbd167b41688c8790bda7cb4178069640ac4ea115452a737a3deca865347f938b40d0ea5fd5d72ad2eb7aaa4a8e846636377fd07b400b251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
400ff0335eb2b8dac7995cf7fd98ee1c

SHA1
bd4c406e36c1e8996f842666dfd89e34a9bed785

SHA256
5c5be4223a1c6538e2225cf7f24e6b5389796362495dbfd9ef04284d967eced0

SHA512
da503a884bd4857e5530e4c25bbed60a6e25ae91190dbe40a75c3e74263ff0655c2846f8ddc33b71998625304089b2f560cdae05c1464c0fa7df8e2e72974cfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
a94839961a3fa27eb5dc52092fb6b995

SHA1
60b899dcbfb3de0ea3746e15e11287311346ce37

SHA256
16841d5388c9a898855fc5397b946bff1894f657e223db545c34040f2588cd69

SHA512
f0d8c19c62d037a41f36178c9d26bb34d3169161d1ffabca001da58f69bece3390bccefeb54f4f0d3f6a071017fcc35a6c9fda777ab1519627b3f9e176f49c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
2bcb74c6cab4ba0df9bc86ae61587051

SHA1
2d07089b9130c5d8725d2ea2dc50fda1a09396bb

SHA256
7e8c8aa9fa618397f1afd292f089bc04feb1103bd276aa56e49a1d7c20f0e31e

SHA512
c60df588ede0f15c8620781aad3cfe3b12b64c9281119499eb79aa81f46f7556d5b706c635ecc7faece09cb7c9734387453654ea8a66dffbfd23a179561a00fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5e82c6d8aec198ccbf3abe80bae75189

SHA1
b08218113310a09c0989884337d1f9b03190a8e0

SHA256
a7f3dd85e612af6537f3b1c908fb7c45c1bbf875637fd9065893074ec12f2273

SHA512
6368def377e25fc86e223475c6d0f2bce65e419e93b96a3eb0c5e265e9c1cf2a9e9d2e97140046451c0704e93e971312722f767c316631be20f486cd935aac38

Download Submit
C:\Users\Admin\AppData\Roaming\1fc6e92f990ca9c2.bin

Filesize
12KB

MD5
e8a7372cd33423a3adc7335a649b8ed1

SHA1
c48eb350e4cc49ff418ac5bb9b5d66f9728c5b48

SHA256
549f0d2037cc9b96161e624ceb7e567d56b052308f77be069e57f84c9f47314c

SHA512
69250cf5a89fe04e0abbb0f0fb35ba083b5fed4d0315a0f8a580008ac2e7905ae51c14ef8610c6ae240d4d5310fa98a8a3291b56e48d653bad49ae63a3c9cbdd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
7e998e60baa73660817632ead7cabb02

SHA1
2149eb21e598939d7dbad5a13fd5d02a53cb0af2

SHA256
339ade3f5143c7ef258cec5528c2dcbcf1eac2c4b67b189754d7073444977106

SHA512
0c164b3304b88b470a197e3564a6526661d2539866e9f24175e7fc0c5c1159f810011fc1ebe5f17e468aaa202cfdf0d289250e8b387f6195b0ae278bd73f2e29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4133b6eaf962e8ea12d4440317444fc3

SHA1
a3bb41b816834fcb7465ecd9ac04d4df5900dc04

SHA256
e4b6ecb2e42ebb8fea9a4f41d4b29aa3346bcc9752e6b8ebeaf8ec7606f21031

SHA512
f5649214b1207cacfe81b5e3c5d9450dd1c5a53aa48b7b3b5cf2a72bb00559b7d874f93971d006e5c3e1bc4347e42ca3db0661fc519f0124e9c9fe6225d707b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2d763c5c6327bd5ca8da8242bea5ac47

SHA1
4e01ab69c4ba6a4f9efba7170a98a79bbb7ebe2d

SHA256
90468682309f125258c0a6f06be20a2f90e4e6e1707bf6075137ec42d1719b55

SHA512
1bb4539c2e7394aefa2c3133ce51594b5e2912eb4d31c1abe215fb9721b6c7ec376b6e54b019a57fb280d28fb4443cb9145958c18e14e668d1b78f393c5548f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
384KB

MD5
ea0c0db35b2b27bed03fe9f622981e52

SHA1
bccf7ec21762d21e57bd7a8815bdd0b86b151414

SHA256
4e1381b9a2e0b13dd09e859c1ba5074c1fa89541491d5de4ffae429ece682d11

SHA512
c3c4d7e511b23391bea31c6c7e2f2845d9959b2b0e3ec0aa165b3083d4872a88fd6d09ee3ec1413ba87798e9a7984608edd39f56f1143bb31b50cca4085752e6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
832KB

MD5
b65cb8cb1e0502e28e7852c89a4c8b1a

SHA1
f400377d18d07c235a41aebf039c4287a739fada

SHA256
1e928e59d4fe4ac4f0e154c6e0859adb1158c5340d40f36f7daa3f11ee13625e

SHA512
6d677ba4c6e962bb0bbfd44c2aa591bef666d5d17864bfd107ed6d264954ec5ff32b932786807eb28f64839b62dab96d1373b8d01ad110e12ac4e17411638448

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1024KB

MD5
fb2373fd4e45af887cca5759bf9f8fcf

SHA1
fa03db769943a453343ec46cbd55e701f6d75539

SHA256
e254191f6e63ed2f7eba6aae15f119008b91e90d4447c7d535919376efb7eda9

SHA512
81b61a85f74f75f0064a1ac655a06df224b7ee6aad98c1ec867e44c4d2d688d9fc11e4cbd9ef0421914aa383c9832c8ba31e04cfed8f098a8412221d08993509

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
768KB

MD5
8a21bc17c3cb88827339cea6b0660cf5

SHA1
28218ca5806f00aab9fd9c4791cce062c8f2bdc9

SHA256
f66a9dd14f14c001ec698f976917e8ba20dff847805ef3dcf67a30b4583a2945

SHA512
d5d9b0762daa96318bba1cabd97da0e2368249fe4486bcefc09c49deb2e99ea4b0e0b2a024e0990972bbff59988691e6133ce90d01d34d063fb8805c9be83f6a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
6ed83695e40538e9cda16c154d5c84eb

SHA1
28958c5af207cedec6275ead080cae97992f63a1

SHA256
c0b6ec8f2142177de3ae3c9b0fd76a713e1cb9cca1d9ea04ea1e5b7f6119cf10

SHA512
498482a3aec490769e1c4ce48938f07c4e22807ad4d515de7157709df54db5f15701eadbd9eb77290c4bfe28b59a79a860e182e3fb6725f0260edb288f828622

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
768KB

MD5
29012e01351ec897a2d19f7dc544c989

SHA1
d1396cae6b8b699024715dfad675ea15dc9d9073

SHA256
7917ce265a09045c9010bc0c2fa0ae2e5f725a5df87bf61eb5c093b2c86bdae0

SHA512
643360da59d6ddb99803d600b24b40006e62ac1bea876fb0ed5b5855b249a43e28554a71226df6283ccf40702ce8f8502f65ef1fe733bed9b815445da4163047

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
448KB

MD5
0b38e3e06f7a8316a33d27aa9be04d14

SHA1
28f8879bcad75184a1b566ce2077f627b9264006

SHA256
e8c60baaa158769ed7c2325c9e5935cd71e9955c7b0e09cafe0a2fb3533ccb4e

SHA512
0f4800749876aecf620c24cfd1a12e5fc82c6dbefb6ca368a2aa9a6f40df693cdeefab9ed46d18020dec42ce54c270d0d46ea8fe2d60a8325e1712f2b3ee3a2c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
187a6b81ee04d636be9f295493daf22f

SHA1
28e50c9e783a7483df4394873cddf996615b4a15

SHA256
cd927df6a4c29f8e7214d9307b727fbf700573de094a529eb2a7607f14f3c360

SHA512
64624b0a661dcb6975b3a0566f4e3bf5e57186e22c0f6b05a86d0f48109faa472a61bd1f9c79751ec8238e1c4df894a0064cb70706b195d8fa89e776ca839c00

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
826c50c62ac4f2a4bdfe20c0d0096572

SHA1
d71106de7fd99cde6a712e03efd381646cc4324b

SHA256
8d506602aa053fd493d35c7e256f47805634692dcefcc95d203ece6f05f155a0

SHA512
8146d5b4fd077304e61f8f8d73d1e46930c033c95f10d99a19ab4f05087c7e004a8f3d6504bc174718e9dcb55d59d5a5c9cafababdec83a10f3a65e918cf34ce

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
bcb2117ae8e32747f3cd2215310ee80c

SHA1
da3b4697acd2d0e93d6b381aa11b15cfd0b73c87

SHA256
1816adae4fadb5b569dbff30bf2010672d93662994e1edbe885bfd54aac3236c

SHA512
493e803b138e0a641d7c177e3630e39d6bc0a7a2dab7a291a12c9d766c540b35da22bacc7f764c25a3f04da4e4c3a80450019cb8e0bbc25b4fa11137119fc508

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.8MB

MD5
2087bff06d7831664f875da06b357487

SHA1
9a7ec18c5ef27e45a27bfad8a00aebd4e59adbef

SHA256
a4a268c0eb14ddbc495dfefe4a85035d7e76a323e94f3a6e0e56d225cfeebef5

SHA512
89a1cab6e7281821daa54d6c3c9670044b848ad66ea25a4c6160efcae4af08459b07e64d25f6bc71840d3c3f67283222a077f04a01f72da9eb1ee08457ddf78f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
e9d5eedf96a97e526bf8fd6960f3d4ff

SHA1
19ea270ed7445ae573b5b958f36cde9b3e1023ac

SHA256
f0e940558a4f0c19b7780fdfa2051efa0fba11cf7bcd0d33ae60b90a22aaa960

SHA512
9579205f5fc4dd5fe2f9fc05cc02fa63096fb00441076f4666ce5a96f14c19bb2607c71a9af35a92726fe20eef3e2cd30e9f6e0c7a7abe0d5958140d2211c6a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6ea41c57a725bf6d156a3147476fa4e6

SHA1
34f7c40fdcb5cfe2cc58a01adea50e353e3d3f80

SHA256
ded5b34180bddfc7ad8c3f8737a3d63c88eb197d629ce763efe19620caf5dc27

SHA512
cbd47746130a84ac24b4cd53b16bc67729a76ea66278d77a8851b7f2ae3d3048093ec9dcbce1af2010d95e5879b405a533bfdd765f338d2522cd8ee0d666ee77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
f8a96c41b4876b3fb3706e1fde1c8a15

SHA1
9c7be3a25a1ccc92f94fed846eba48f930511b48

SHA256
94e7a0b0720628eaf0d3c3ec27192ef7abc8531ca866545cfed68b0473e186bf

SHA512
c6ac27a1fe6f4258620a6ed3b45cf467ea2117882acb8676f83a66ba82e591aab7ee1780bab59b486b02bf49666aea687e14a2e5dd2d27705735d15d77327bb6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ef2d8e1b0f5988761f43a74b5b9b2b4

SHA1
2018d7d79866f57cdc61826667031ce452250435

SHA256
cdc2a456fbbf1089bf2c6149c8f9ce8ba4ee38ff9ab8eaad0a0ac60f2147844f

SHA512
54b3d8261201d179b12fb45472f3da715b5ee06cea187bf19f09150bf5ae97c212f31705e8a800b70d3e23de206346546d028ba1242a93cb520bb90b0e467820

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
960KB

MD5
ea6830aa6fb674fde3f29257c5877b2a

SHA1
1daaefd925b5073bc5bd521e2ee635d61bd58c4b

SHA256
7eb87bdd5aa584e9a3c7ee6a8ecc2898957bba50fe66b575a3c2ec2353af3665

SHA512
5d867c402285ec3efa6a0d11b1f940e10d277f15015320ae23b6c7f0879865458341e8c86a615ce9bc344f76a29b25f99eb2ac476de3ed77f549517e8e46836c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
960KB

MD5
fab6c472c562eb51b149e345e46b8b03

SHA1
ab4585927ac4a00eb37b28a71b508af4dc944b7a

SHA256
7ad4c215e1328c853a09e8db69319f570e1c7ed2edbfbe2a6db38d25648761eb

SHA512
7cd2a7a034d1cd5c5a01628d641e673eb1a4272c8ee9735a45436641ca7677b38ab30b247c056703f50bdf73775a6f985038c9df3087923eecb8b95f4d404a4c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
e7e897e9c5de9ec18d6ff66635a8d992

SHA1
4b3a28993aa90d730936382cb819d73715330cf2

SHA256
6f2fd9563198f942cb53791d427a0b2cb473925d389f3fffeba4dc20bed41f8c

SHA512
80977ce58f99749377120a1d9f120779584abcdecb66faf9665b4cd95f6e8172d22128149375df9d68406da335a908096b0ce962e6d713d395f862600c49decd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
18b07fae443b95c1d9163eeb79642d85

SHA1
6b85d5ec342ba2c4a05549f1d84379d408fc8438

SHA256
8e2b69e07c29fdaa8766feb78deabf2f9e4b4e198e351ff2e272749437e053ec

SHA512
39a7018ac6675a5c691e61d8884c50a88d9168b26ffe1586b5e41903706140a9c1c03023259d1271bbc2f9faef5d5a4d9f006d370716e81fe025fe306bddfb15

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
b3eed23d8612e38c628e0e45762ed434

SHA1
11fd4ab9909a75b6f53b85f9cec1b2d2c6e02cf4

SHA256
647abe404872d3c899dc1be07e39f78467dba14c8c81235c52dc0731bec6f86c

SHA512
a9f408e143a839e5dfe7f79c3ae065fb51947a6ede255b9df99fb66bbe233aeaf99cef02f67e3f56fb9a772174c1ba586d06e02ed12ad91620c98d7ceabd9d01

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
cd986a2e5ed10a5cc8f522fdf960c5e9

SHA1
b9707a78e9693db8dccf9b4989689ca37dc738b9

SHA256
230dd747f83442fdf7cfe223c37a19f1fd087faa6ea19f564058471c5a0c70bb

SHA512
3dc716e49fbe66d719b72a9186e9ff2b115d26f57cc18d05b19c7e0f678bc4de78401974b4fc9d0740bf21913689d6c8e250b7afd28d6f21f32f9677b2905a92

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
89bcba43f54fa1d370705e91471514cc

SHA1
2378ccb6c026383839da161d9b89fd61d5ecf3fa

SHA256
2f0bbf5de3e8ca3d1d6817b7c4adfb6936d6b2b54e99b1ee8468b53821107b56

SHA512
de7df7253271190c72212085d992b6bfdbf230ef0b7075498e43dd293167a063d553a22e11850f168d652c02a738a9846654b8f25ee690c9d8e8f555c077e2f4

Download Submit
C:\odt\office2016setup.exe

Filesize
1.5MB

MD5
9a42540b84ad87331720190ac74bbbde

SHA1
b58be499203d0d35f5e009673a8cfc465c94ec73

SHA256
e695a633ba94a59a9dc6eaf1c8007d568744c3fe65bd48dffe3b84835cd1aab7

SHA512
51d7dc8c7ce1ce697cfcab8fcbaa72b64308c5479d8200ad73f1482598cf6e741a8d184bc4d4555dc92c8299da0228208d62a0629e476a9dab761b2d75492c39

Download Submit
memory/684-92-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/684-102-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/684-106-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/684-108-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/684-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/752-412-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/752-454-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/752-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-44-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1680-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1680-128-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/1680-40-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/2372-112-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/2524-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2524-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2524-26-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2524-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2524-8-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2524-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2880-547-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-523-0x0000028857860000-0x0000028857892000-memory.dmp

Filesize
200KB

Download
memory/2880-486-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-529-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-526-0x0000028857860000-0x0000028857892000-memory.dmp

Filesize
200KB

Download
memory/2880-522-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-534-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-535-0x0000028857F80000-0x0000028857F90000-memory.dmp

Filesize
64KB

Download
memory/2880-542-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-488-0x00000288575F0000-0x0000028857600000-memory.dmp

Filesize
64KB

Download
memory/2880-487-0x00000288575F0000-0x0000028857600000-memory.dmp

Filesize
64KB

Download
memory/2880-475-0x00000288569E0000-0x00000288569F0000-memory.dmp

Filesize
64KB

Download
memory/2880-474-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-468-0x00000288569D0000-0x00000288569E0000-memory.dmp

Filesize
64KB

Download
memory/2880-467-0x00000288569C0000-0x00000288569D0000-memory.dmp

Filesize
64KB

Download
memory/2880-525-0x0000028857860000-0x0000028857892000-memory.dmp

Filesize
200KB

Download
memory/2940-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2940-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3064-110-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3064-11-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3064-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3064-19-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3416-155-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3528-152-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/3528-143-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3528-204-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4224-98-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4224-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4224-49-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4224-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4224-60-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4280-120-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/4280-174-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/4280-115-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4280-126-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4308-22-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4308-118-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4772-150-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4772-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4772-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4772-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4800-133-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/4800-188-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/4800-131-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4800-140-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5040-228-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5040-505-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5168-163-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/5220-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5220-175-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5220-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5484-190-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5484-182-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/5484-473-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/5708-199-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/5788-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5840-205-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5904-206-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5904-502-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5980-208-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5980-503-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6084-227-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download