51881e4a209706b956d206d782d90cb61df2e46066924966c1eab19141334a21

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
Size

5.5MB
MD5

cef5919cc14077d9c6cb24fcf8cbdc82
SHA1

bc8ce11f4ab1b3dfb60f259a8edf351ce26d445c
SHA256

51881e4a209706b956d206d782d90cb61df2e46066924966c1eab19141334a21
SHA512

4d444d27f533ac4fa6b99b81efebdbe1ee325f7a6e2df26313972cd33202bd6213c20a36a566e1ba53ed1795343e85b0819f6311da9d34106916103ef132f9a6
SSDEEP

49152:tEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfG:RAI5pAdVJn9tbnR1VgBVmFlpmA9b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3088	alg.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1924	fxssvc.exe
4652	elevation_service.exe
1936	elevation_service.exe
4460	maintenanceservice.exe
4496	msdtc.exe
400	OSE.EXE
5252	PerceptionSimulationService.exe
5548	perfhost.exe
5748	locator.exe
5800	SensorDataService.exe
5904	snmptrap.exe
5972	spectrum.exe
2656	ssh-agent.exe
5568	TieringEngineService.exe
5788	AgentService.exe
5544	vds.exe
5928	vssvc.exe
6048	wbengine.exe
5792	WmiApSrv.exe
5560	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cc3843de4ab059c5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E620FD1D-1243-4CA9-AB2B-6C02435E0E01}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071dbf7bcf886da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133567541689786907"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000005294bef886da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f5f9cbdf886da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051d938bff886da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000548a27bdf886da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000130586bef886da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038fd7abdf886da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
5096	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
2076	chrome.exe
2076	chrome.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
1340	DiagnosticsHub.StandardCollector.Service.exe
6984	chrome.exe
6984	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3404	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
Token: SeAuditPrivilege	1924	fxssvc.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeRestorePrivilege	5568	TieringEngineService.exe
Token: SeManageVolumePrivilege	5568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5788	AgentService.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeBackupPrivilege	5928	vssvc.exe
Token: SeRestorePrivilege	5928	vssvc.exe
Token: SeAuditPrivilege	5928	vssvc.exe
Token: SeBackupPrivilege	6048	wbengine.exe
Token: SeRestorePrivilege	6048	wbengine.exe
Token: SeSecurityPrivilege	6048	wbengine.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: 33	5560	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5560	SearchIndexer.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 5096	3404	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe	94
PID 3404 wrote to memory of 5096	3404	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe	94
PID 3404 wrote to memory of 2076	3404	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe	97
PID 3404 wrote to memory of 2076	3404	2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe	97
PID 2076 wrote to memory of 220	2076	chrome.exe	98
PID 2076 wrote to memory of 220	2076	chrome.exe	98
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 5048	2076	chrome.exe	106
PID 2076 wrote to memory of 452	2076	chrome.exe	107
PID 2076 wrote to memory of 452	2076	chrome.exe	107
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109
PID 2076 wrote to memory of 4964	2076	chrome.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_cef5919cc14077d9c6cb24fcf8cbdc82_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2e8,0x2ec,0x27c,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaba79758,0x7fffaba79768,0x7fffaba79778
    3⤵
    PID:220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:2
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:1
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:1
    3⤵
    PID:3176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:1
    3⤵
    PID:5332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:5564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:5984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:6092
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5344
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x240,0x244,0x248,0x1f4,0x24c,0x7ff716907688,0x7ff716907698,0x7ff7169076a8
      4⤵
      PID:5796
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5684
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716907688,0x7ff716907698,0x7ff7169076a8
        5⤵
        
        PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:6032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:6236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:8
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4488 --field-trial-handle=1892,i,16077156970090679987,8019577122941746987,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6984

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5252

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5792

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5560
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:7052
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 792
  2⤵
  - Modifies data under HKEY_USERS
  PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3316 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:7148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

Filesize
2.2MB

MD5
d57420d68ab7d92a79f44f8e528aa952

SHA1
3deb9bc24741263f5574b9e2e185789f3272146f

SHA256
2426c0755acb0caff2b6c126b5523370989ad1257adcfadf01a76d7106299092

SHA512
6d402add3f9ce42a5d3b76445cf5b874e4671e315c1ca714ca05fab39a8405cfa5c31ba53070706ced0618245fc811a9be5f1c74aef6595eff170b8d81baff14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f12535f396017418d47e912a4e1583eb

SHA1
8f69410d4493769a2b6cf9c07070e98f07ecdf96

SHA256
6c4703ad2771b9fded11272bd66da402b048ac94ef1c8a8a99d6c16895083483

SHA512
99e4f0297150fda2adf9dda5deed5cfb1a7bdc955dd0f3b49e1b58d975c8d53ee956ba59189552708ea59a24e31187832f9c895e4de10c47c102bae4750b38da

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
835928150566f1baa6fafac5065392c4

SHA1
15eff7b7751ed5aeeafd45c5b38ea1fd9b0283bf

SHA256
aaa3bb740102052ba81527f8da78187a67b5ec4c49ec72cd575d60a9962e71dd

SHA512
23d407b011a3e6182a5548aa19e376b647509d2d92f890950ffd19bb80a1eb0acef8583a9b789dd93cd58ec32d378969cb7b06c73c239476fb5deffa44ae3414

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f4d2150422cbfa17ff9f95b5e3c8f667

SHA1
4d8159627abda3fe258ffc62deaf63431c133f8c

SHA256
3f67e94dc285b86d4544f19a62309dd40ed6d9c8eb811ca013643bed108106a0

SHA512
e9d929ddb80d9918b32a94ba7d7d5ccedc4bf750ef3e5625310b20c900b9a8a3e6be3175b295a373488d1fd901e10f1c70030d692969914a1d56c0bf7d617b1a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
adba8695c342f5f02b5ddf510888fdbf

SHA1
61628bca3bba2c61e040e6f4f58723b7ad1557db

SHA256
3c1d1e8ed70b05bf8c4213e82a938868c6637b2856b34e123fbd426c951b1e25

SHA512
228ee8bb0cac4731e71bcb0da25b57cd65180ade41ee00818f7a35df1b785ead20f00ec316ac0ab734ae72a6315fe5f357cf1cdbb6da2a270467d8c5f9089012

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2c833cddc50d9686e8377d24c5586efe

SHA1
b3b0e3316e449eccfbfcfb6eb172fe43c81b4c94

SHA256
1611d0a3c60d9c787ded6f11b51a3eb746e7ea283cf326b2cbd411a47c777289

SHA512
583924075aa7cda5643eba7b2e6525e0d9aa29b6e189455bd6e888cc0fd0bb40b9c7f4026bb48e82605fb6cea0cc7e93ce685de889db80570a234c4daee3746a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0532a308147a068039f6bb17e059a432

SHA1
d18587eda7e424b2b8ed97849e025021e4eef3be

SHA256
d8b46f56ec8d938368999e1f8ceb1a851e2a14b1691f69c2f3f9a4b159b019e4

SHA512
9390b7efbdf8ad7fd7cbfe6ef9613a1c705514843c3288b8bcb71c1c31142173ca19a7bbaaff31b94213aa7a37c7be88d4df1e3afca4cbf0e44ec4c7087501a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0787ad1f082fba79b3066b7c2c00215f

SHA1
5f9c74c2ea31f85bb185bb4359f8f70f6790e6e3

SHA256
7d33590a370c008a45f606e3fb0ca63438f23a8b3e0df7697c73ee5a71e13f52

SHA512
3c5d39d944a1c4aba0590441ca89c46efb378d4c4735228dfe8482287b853c3c169ab39348b1df74b5da96878375ba16a75813781e6c2edb77d2eaeaedadfb7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
87af8b98e2505e0baa60048418da626d

SHA1
3524d3677ac3d463c95affff1dcc4d9cc8b82dee

SHA256
ce27258a9839fd4f2cce3e575a7bf8381d4e4c9505cc60a8abd78911a8948ce7

SHA512
3551fc1dd2d4f2b99fc6d6994b357ef44e21769c8b4abe5a49b2c049538c416077479228eaeb621355e88479b8c5f862d619c58050f5aba90e64df6c0ca4d3b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
42f21bdd6d30bd33e540b8f5543b022f

SHA1
b2fc71faa98152259c38fb88b7d6ffdea7a52080

SHA256
8b3ee5c02d0fff79ca2f4e3739249341cbeebb9016982c6d1d7239e6e48d7b8b

SHA512
0bd0203281b803ae848744bbf84ca37d4ecab25ef7373a33a66bfbf0878a84f18b79af31f24876544c7c81be0c2363923cbe5a0a32cebdfd9839167cb36c43e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b95d7108ad548c5bc59b405f2fbbb288

SHA1
ab2bee2db1f5cc6a42fa46d13fb7a3d77706ddff

SHA256
725c44eef60ac873ab5495df128320d2b674497518c06d8ea90cc08876db9368

SHA512
de63ef2eddc4ec0328bfd4d09a032c41f79dea555cc43cab31520ae645114fb9d63f0644b52af53ae742ff6879fe23f0324b4541a14b1314ab31f55472fe6299

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
87e8b96656323a7212bad587a9d8e567

SHA1
8f70692a00eb246a8cd204081e836fa6ba286a4e

SHA256
b420b7d1ee745c7b78094f7b6c0be6700d992415c4e2d99a93746dbefc5afd65

SHA512
4d37a4167cbb104aaf7f288d8ab0f1f26879753c7628c32d8db5666ce702fd812fe864ab6bce2544f91d038cf3f7b37325bf9d53701f3e9edf34e92f7ee39652

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d9e1d70a9eb7f8bed09f4ee27912d961

SHA1
ab946e376cb1843fe5a55cce1275efec1856e25e

SHA256
50ddfb5de99c96f076f17dee7defc72b4f5a808d4efd0ed203ab1c9ec9f73424

SHA512
b3e85d45fb21b3d6b35aaab802541a6d39ad70be7ebafe756b4c7d95e940422acd7004b965ca2235f50b97f7e780608eb75cdf7f310927d07e21b3039e576739

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9aabddacbade12c181db61ee57d39976

SHA1
9956bf7a41f50d66e8b5493a78fea4a77520e8af

SHA256
c76b8d0c5053279c09f30c02d36714d06ec6827e8bfb77d0473d74fdf7e4e85e

SHA512
88462969ee8920a106279bc7724a02ef9deb10d1d138f1beebb10a3e00e5e3fb2bc11f780aebb7b0d38b114663b93fc7757ad5638df274fe3b89f1b2d7e9b92c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
a349cb532b076fdcc516f1d86184919d

SHA1
a6fb3dbb8b426a19276dff30f353b606aa75099f

SHA256
6e8db41352efec1efc00c35c4a22f8d1b1df21667e6fe27833e1e39caf0089bb

SHA512
682cef1cb0c33ee39cfaad0358b4a188cbd4f2fa46534ec9ebaa51dcdc3bb53a0f72fce071868782f7993b062db6f6b2838b6f12929c3db0b7c05f770448396c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
12f06d7c604a39f5994002349699503b

SHA1
192011fba5912762cee13385ca7d6df164410bb5

SHA256
08beb6bc2537625742088af229173bafc5061f9cb8b3e8622ad57aa636aa4058

SHA512
b04e4248b0db185e679de42c7524cf1951de2d79124e086df18ab3e8133337ae8c766976ba51e524953a0c8d08ef5d715f5aadb434ed3735432811133915efd9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240405012931.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f3c63042d95de29fae808c80a8102573

SHA1
3e3586455756b657fc8a953b6b70e017063c9639

SHA256
f23dc9ea74c74cb6389a1422ad5d307e9527dc0d82c21de6f457712439ce02d7

SHA512
3d8f8fd250f3c97a98a49306a436c648b242f4c6fda4f5916dd713a6f48e6742b1c8feeeddecf88eabb1a80c63a4a4795b605ed5bd6de05eda30ccd9acd417a3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
01fc9a62d4e5d0162f2767707a4e6a47

SHA1
58ab37c4da778138fba867de20e6e4f721e49895

SHA256
75d44c9710318e951cb1c9621e002558488ade6e0fdce37b6197d9e831f1d220

SHA512
9f28a2524e9f22e6d6549bc3851bb9c9df066c7f94a5768e8ceadb82a324ae6c2a78d640b192810ad8b84e76cc83add122fb8d6e8cd2a1c93ce85031a8ebdccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4a0b907083f8afcc81fd894fb6c45d01

SHA1
7161d696223d3373ccce860cf81249d7f738a02f

SHA256
87b0af1a5d48c9852603c2cd73097e27beb903aca92354231262ceba0e276e4c

SHA512
9a917882b29ac03f6af556b1c4cfb99b5e8260a4bf9a179b91cb1a1ddf47c1cd5543b8d7f008d955320e567dd4fc0236e187717d4bda748289700b3fe920aca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
48c14180d898e5d96bd6cab2eca1c8bf

SHA1
11fd836d3f01a2424b23565f32b34f1aec8e852c

SHA256
df77175c8b5f5ee7f6a39aad1f9b12b8634330379e9ad02e223c82cf60858f32

SHA512
ca51761b56b9e55203901d0f07e4fdce6f7d46988d84e776467a607d10eb51a84964064775c6f3ccbc8cab48bc606a35282588fa5c2b12728befae71d7ea9fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
40104e27dd137b069f656dc062b1e1cd

SHA1
3eba0a684d1d571dc065b91e48ff70ec67e91d10

SHA256
a105fe5b4567f8f24dc9764ed54c5601f6ec0b98d264ee888894084df899549d

SHA512
f4b0ef79b258342e993ca6099b17580878ad29a8f6549ba098f2f0be7e5b24bf63d7594237f3060846933897e7457d27dee5eb7ed26d6baf66f3e06c3d22cd2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
37777a268491b0c8264e57f77d58a84d

SHA1
fc0065a6629c05405ebcd993ea37b9ebb300a1f2

SHA256
5919b8305c52899e314661440bbfcedd72d04fcf489af71c1c46a54983835486

SHA512
6dab85f287189853e00b3f96ff3f46dcd6ab786757befb93d1888ee5b77a9f0944c7dba1cd2fee2f1490902773138b33cd3e62037d77765d4f2df768bb68219e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
651e5f1994b59480c8cf272b1165658e

SHA1
82c63af4e11c772e7ca8b9f05d4a52f9a28bdbb5

SHA256
9be5715d085ffcb1d81c75be594b63866bb36a00864304f64a5d04d1f21c1bd6

SHA512
7135cd1f5cff1f1ff12fe54481bf85cf664acafed888ff7b71f1e6c82fe444541d48ea09a8957c15a112cd80e1a4c467138ecf8f3b9b24bd6e99083fcbafa288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8e8182cc2c20632aea75c2fbc1fa1147

SHA1
d10f57947c131c0ade769ebe0e20c477035be42e

SHA256
5be0a0574931039b745a2d93ce5e56ae61c2fd8213d0304d7c776f44962c071a

SHA512
1cc60fe22ceaca7e93ccccf56d41109a33d4ed9a9b1f31a2699e7ef8a5ae4f1196021898818836601cff543bde97a1351d72ca43ec66550976794f1fbd30e213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57d476.TMP

Filesize
2KB

MD5
52967a4cfc743203819fc0de12defcc1

SHA1
ed45be1b5bfb7f0f05dd9c2f1dd03172f1e85649

SHA256
7224846e2eeebb17ec177a55a26d93c9b4d4727770da01c1806be5575c241b02

SHA512
bf06df623f6a3cf980d5e9e726dedf68f9caa16c77d24c28487bc190b789a729573d507c155f2d0852356e7c77e4008805cba276841354a5a0aa36337359367a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9448e8be82e0bf9ebd78ac2aa8f01111

SHA1
b1020aa23da49f82d9293fe3a8c76b0edaa2106f

SHA256
bb0090a61b2d408ae01d093ac87ddbb902a6d4ce6959355bc63ce945f5f941d0

SHA512
08195c2b4e80fbe17f36b35e01025c66f4748ecd95e889cbcbb4d600d5a340d4a4a8d573443db51e442a13ad686dd7e74e07b8a9770d2dab79250ba724f1344b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
289KB

MD5
50e316ea4ecb72c589d7950863b16592

SHA1
8f21c2ee3aa0f5bb0d5ab04b97406d1d1afa6677

SHA256
f35b0494092d07022932868af8b2f37029a817d869abfddf2e56bf051bdfed40

SHA512
8d4ab66f6fdeefd3db0d4fec756dfcdd477a5e67c24e754c50d5be1144ad3863b7660acb89b31ec16ae7429ea85a24b287af983dd33369cccea8af2d7ea4e11a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
268KB

MD5
ee01866a90a5c9e68e2231327b179e13

SHA1
2aaf73af067b60fe79e9401515f9a51202d6797a

SHA256
bfd0c3d8d5a009c0588d41277c510b12dd031d5e87f7655c6ee5161cb701d92e

SHA512
77e1782a4fa30c7c80d9fdd9ae16994d9920fbbd5e9377f3169f1e69109c121b725d1983894ef143c1915204347342b7630ccad103e1e8ba5056c1be4bb407f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
38a08bef3fdd0d21149482a3c78d7b49

SHA1
adb1f55dee98114ea7816e54d5d0ac06d1d0af50

SHA256
4c5a71bd7687d0d8d9197fb1dadaf0891c0b91beb0d544aa0e8d111fb710ca04

SHA512
b601bf2a1df0036c5a484f3ac6c813844394a4ae8e7c8cd85b0bfdef786f0aed1c5b19779c6dff8f1a2180ab323cc6e0d5118ed594e8b9710adbb767e4a575ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
55acb81fa50566a5dd5765e8d9363dcb

SHA1
351fb44c61065db97b2693c9f2b6709c76821e95

SHA256
1ce9cde324ed3f8e58e9e7d884c6a77cb7fca3e32b0cf6a90c03d252647da2b9

SHA512
a9ff46a74ca5844a71adc9759fa756d62eb23fe05a8419646814ebb600d8f6e549624e0e5061f73a658de53d2b95db740c527380b1960ae9cda61b89d5749701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
29dfba7ff016e89e4d6f46a23998caca

SHA1
0f6a2cec49312c41d5c27b33d0730175d66f9970

SHA256
9df6ce854045adfe6ad8e43e1872f24246105d10b41012bc6295d2d441c007da

SHA512
9651532eda1c29cf7dc730d13364975715208c04b64cb5a22787b77b5ead5b87d4d6ab0bd2cf54f42371e0d779ab7ceab1b26f31cd3a318111a08be65ae9168b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
56d35b214479df6dc490049851bca8f4

SHA1
911f244b8c416d1cb2f1719c6678f373ab85c8af

SHA256
36a85b9eb87bbde4a9eb4c7d8ed0ae9c511847fbbe3c2ee146554efd20da5f1f

SHA512
90e011316467c0e5897f0e57a84e70cabc6b87c8b06baa85ab5391247635d5b1e7ca18e24f05b2e15e99ac69481e193ec0e09905d27a3e7445f2e19db594d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
07628f5fd1633d4b55ae0e29c31e8e8d

SHA1
1c8b43a54d2552ebb6a867d9e574f200de37b3a0

SHA256
fb64d0be7ae53076bb71dd6c96df33fcbfda7d8799763335ef792941e89a8c1a

SHA512
ff971ecf1fe6038ebf59f87dc9ee155df468aef646df4a7b87dc85d8908bb229452b76d0e7d4193b2f5585dcb5ef401ce2e0ffd39ac733d28107a5c1f6d32f3a

Download Submit
C:\Users\Admin\AppData\Roaming\cc3843de4ab059c5.bin

Filesize
12KB

MD5
ab41064d178857b06f2cec720d0bf0a0

SHA1
9575e71b1ec1176c158a65b7d2ddc9a8f46893ca

SHA256
873a2ae2350e0f60f80271a38557b0878980f974a7d776190f9c61789aa375cc

SHA512
ad078a946bcbf31fb7d7b1b953f89c98ada387eba49b4dbc0f3f8d23c7e6d54bfcb2d329d9746c3ab69b57c3c32c018c4afb0ae20700dce84b38393e133b2c4e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b188e33abb820420bb9e40b454f7c3ed

SHA1
51088d5614b654df16c1888d0cb10354650edddd

SHA256
fdc254632a303088139d79d105636630e929b58b05b01e90a409cb2b24b906b1

SHA512
778d898702e2be66c97df46f187069b39f454a20cdbf7652d5d84064af6fbab95527a751d5b90219a98fb3df58f7ca8c49792c035c105181a5d6ebfbe5e08eda

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
994a0f6a887377708138e9855a1a388e

SHA1
41def383413b3646aaaae078f297c85a54fa8338

SHA256
ad9e5a0eca015b2d7fc14a5f8ead184a8be5298ba8b0b3afe2a195849f0e5345

SHA512
959ce52847782a20613fd8437c1c9d9950356463ced210c1f9e67a3af24ee8726b85bd266705286a666dbe116adb6c47b6530c43111321bcf1e2c7391bffabf8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
74f998f28942c15f712659a56216dec2

SHA1
a4817902deb35789677614bce31e5ccc20fa9d36

SHA256
3996148c93b533dc06315c8230cd2caa843ac97bf5fcc738df419b53ec6e8812

SHA512
0f0d2672132eb4be98a0149d5693756615519967f8de6ae0ef6b612c7d398bd7a5fb900fd8f957b53a370b6f396f4363e327f12628d2fe02f8f5df11ae4f57a5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
308f34b9fd7cd33b5ad257324acb75b8

SHA1
320b35cc7c10f7902d0905250c8b5dc4abbe9e9f

SHA256
073e7331a05bc9f312f40010372e42f15ca35f946bc30153ca218692c11728c4

SHA512
93f0e202d9a6fc21b20fe738ab90a905e8f3506be7474e6d1a16d5ac4a19d0a11e91a3bf6453cfca7db08f5d01bb1a68d80b181ba1bd59e55b6de8d3ee331499

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
268232d112acf2b6c02c62a25d5f3b0b

SHA1
dfa2e8b62322e96ab7a823d940f0a7a69ab9422e

SHA256
9e3968a83d8d24b9914b03d73a2135ae0fb09afdb46d8abd3179902d2a8af0f6

SHA512
62a0f027cccc624b346cfc21560c977b8db9175266b6d784f7db3407648cf0e309752c4f47059c6478570f76adb8674aac0dce0166a9cfaeda37bbe91d5ab1c0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1a82bcb2ff37bf47309a7a32bb9ea4c4

SHA1
20f37f7a54d51900357fb8c5801275ca23e1b345

SHA256
224e9c1a0a49325fcbb960b806a88e3e66e4f8f71b50601658d92270e7f413f7

SHA512
7bfc43dc2fdbe1cac506913ea0dd488bed6a438893c9af978ce20b2287fe99e5a3506d0c482c10e4a34ba4458d3d3983adaa9c26bf34abd7cf7850c3f6ce74a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8e6d7732d41fc94c1758ae2432cf29b5

SHA1
b7f0f498a9ed0dc227520a7fc588b3d7c31521fd

SHA256
577ad09bdc9247ec9068182604a494c162e16a8d949198c305020a4d1577c21f

SHA512
d6d1844955e1d3808f110b94aaf5a3c1c28234d9181c765497ba2ec53d6fa303e91841337849bd03497e012a321f0b4e996084ff2d07be7e2f028beaaae17679

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c354b2d02be388a63dcb1599ba999466

SHA1
af9cbabb84f1a412718e197fff77ae98f6ca055d

SHA256
e8f2be5f3ba778f7a461dcf6a6548f5f83ff69722ff07df70a0124a34799b529

SHA512
b5440fc7b25b594c3b6c3fc508592b39501cf8be9926771093fa27fe1b4e56abd8a29e38234c00104329f7a954c0cc5b25e45a605b9e68bac68857c1c6027b41

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddd82f6d7b31e1f95809b23c6d4278c9

SHA1
3dac986a5e81cf9b6239a2e15038b50dd9a22668

SHA256
827168542acde7e48f8bf5d014bc95daf41e805570a71b0ccd55d51dd75281fb

SHA512
72b5646acfd3cb4f14408f676b7ef1ff5e66f8503bc4b9707171918755ed676f00b880bf531f07186538bf1929c626d5491a34a6c431f89dd677c4fba9613dc2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f623a0b0200ac1c36b361cd7555a1a2

SHA1
dc11f641569e3ce188664cbfe0bdd09d004e6bd8

SHA256
12ee3a43fbbad11b6084fc987beda2140e1941793b7b9494669810fb3879949d

SHA512
5234b6134a54bb4c86afb8e29540721d7074ed65802ea4c132f73dbd427636c60efa8145cd3e98a1bc705fc2cf08d6cb31afd3dc8f431e293b09529056752dc2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
487382b760c93819f220b7ef9b5444f7

SHA1
0b4a956bae684e946e98e02dd36e9ad4412325c6

SHA256
d2f29fc16c47e4a313da53e795646785cc2293344cbc93141c836ff4dc702e75

SHA512
8325fcd7c446305699da30d18f799c734c1270b450668574bafdefb3bd8c6b85a065b7b0d9246fd9460d3d35f0f7f90b7eeec4e423aca13e7ee055bbf3c1211c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eae7c75a665df56b33719736b04f1d14

SHA1
f2e3be75b6a1a886f66f1b9e67efe855580cc985

SHA256
d6ae68945270455e03c198deb9a83f6839e98e252f92e7cf6a4b32e10c5c73c2

SHA512
f62d8729e5fb5ff30397e2769c02264173a4a584896bfd94594877838fc12d7bba53151b60623563da4781e14ab1b306fbe312108867946b1fb2d39ccdb203b3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e1d038ac05f7aa606ac614e3d320f167

SHA1
4d3b28a37b702232f58497d81f3edaf9c1052589

SHA256
5acb09b6d45322b858c8c3a3c4cf43c235cfab559be3f636d7608c13a8bb29df

SHA512
fbe419c2dcd4576682da0a13a6ce3407edac83c5fcdc2d03a03c5b4ea95fb1b099506ab29b88f1f759de20deb22576e680d2c62643a1b38a7ae6a372c020fe18

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
270292c97ce6a32862f4f4ca2bcdd11e

SHA1
a6e0fbeebbe368cc8b3f098aacdf6de73a03f184

SHA256
9a6e7d69aaac0cf9e8cf3b9e262d2dc101ae9b4633574536aa837c8cd2a7bb34

SHA512
100f43dd98fc1e6bc3e44dd92bb290390f4e2a059461959b0252d69c914bdd1bc4cccab99e6a23422cc674c8be670ad10926954c015c505074e039a4ce60675a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3c9ae0f87edf1cb64123bb4709c33dc3

SHA1
baf476ae10cad471fdf6d731b283afb2e8c38b83

SHA256
7068899658b7d072290f3d08c00caf28b55f68263edce70884b4b8e820ec7864

SHA512
daf638108acf72255bada64753da12db9160897b80c95599592f7459e7b762d5cdd5abc4760098ad77635cc29f585a9bea305d8012bb86003c831f2eaf77d580

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61a39883e59e2eead023777061d582c3

SHA1
cd9ad6fbe6221a31e1ffd6c71fed946d34a87f1e

SHA256
982c3108399b446cbd126260b5c602a52ca9d4cf462d09a82d3403e4e72032f3

SHA512
cbe160bfb5a811ff71b4c1be6b5f84c745add22c7078298bf8b368318840825cece32838cb4e3637083ccf47c7b124ae7254958a839ed8dc880d9252ceb69116

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ccc5abeeecf17c7d6054e60934c4ffb7

SHA1
4fe3b01c0040f20b6f5d098cef71789074f2a9d7

SHA256
b6a9db11bae183e1ecaf1b606606a6c0afc22905d2d23b1043e4503c2dc8ccc2

SHA512
8315169d86e87f4282cc12d36546fef62fefad26b2460dbf62457511da61052e41e8562c440a8d07b19fe7b00d6bbe0a7e357c73ec84db737600c7185fe9b35a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0068437b85cb5d77fa4b9a818211b199

SHA1
f8a285952c1f3e9ac083692ee9ab042da43e193d

SHA256
06f4a98e3da74efa8404b01d80540190059c40e6c7e4c3ba148d5a8bc237802b

SHA512
7d251118f570eb4359b7ebaa7349fea8a12948976cbbb1ad745891bc3266237b64e6974b4bef39caa6bc60cce210e4df2648d7738d1906a601d20f6f50d95198

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
d2fbffbdedf5849cc29340ca0e6ea5f7

SHA1
b15432d75827aebac414008bb69841e5c890b4a6

SHA256
93c9e06f21a86a204d4214bc6f3980ed3eb2251465b94788dca2f4c60975fbc5

SHA512
3a554fc6035aec077626485987905ad7adb2c5da2d74ab46486b6bde7f13ca997f8f55708e64583980083442765a22f4ad4e95472cd44833b12d5a6af69a200e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
836cad0f6138adef622c224909f0c195

SHA1
beaddc66c1a6872cec96d5cf9e2a2137692c0fa6

SHA256
803b3cda65b4c429fde600e4496e04f1b4002ec46c8e5fdf4bc3775e1e63a59b

SHA512
e6302627b5c9660d6510f3f3a72874c7b3e585542d0af8ad87c1cb8964ede4826224a636d8fbf8b09c8f366718ebe594b698668a55bc35f9444a48fa0435e7f6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
56f9b3d4feb5779a6e427296ec84a1e0

SHA1
9a76c718e2ed56e14a71d826de795ae357640851

SHA256
5f41acf79c9b441cc269796c81058d35aa1ddda9fad6e48ccba279d000c712c7

SHA512
2863777fb4085e7b9523756c412b834834257b7309121f44bf15a2d9e9652d2f267cced5bb3901be388943a4d6e52bae3b44146d3972f3e4810b913d1b87ef0e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e813d6d5ed33b48fc2e1658736fe17fa

SHA1
296b8fcb3847a253d5ce2efcb08aaa58d6034414

SHA256
162ca8dad82cea32613ec7ede479fb9028f49228c2dcd02129f1220eb940da9a

SHA512
5e653bd7c22a53568f94deb315bbae993b11ce26a724ccc73e94f0bc256b10755e0701017e5a27c60a99d77d4d3801eb94fa5d669168b852b60a71a9b4c59ac5

Download Submit
memory/400-187-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/400-124-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/400-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/400-107-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1340-87-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1340-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1340-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1340-27-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1924-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1924-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-72-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1936-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1936-159-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1936-67-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2656-204-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2656-194-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2656-457-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3088-85-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3088-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3404-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3404-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3404-36-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3404-8-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3404-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4460-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4460-78-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4460-92-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4460-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4460-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4496-179-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4496-94-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4652-134-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4652-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4652-60-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4652-131-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4652-52-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5096-26-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5096-13-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5096-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5096-74-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5252-201-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5252-144-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5252-135-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5252-136-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5544-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5544-491-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5548-210-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5548-149-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5548-160-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/5560-244-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5560-520-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5568-207-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5568-481-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5748-163-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5788-509-0x0000024372F10000-0x0000024372F20000-memory.dmp

Filesize
64KB

Download
memory/5788-482-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5788-517-0x0000024372F10000-0x0000024372F20000-memory.dmp

Filesize
64KB

Download
memory/5788-493-0x0000024372F30000-0x0000024372F31000-memory.dmp

Filesize
4KB

Download
memory/5788-519-0x0000024373860000-0x0000024373870000-memory.dmp

Filesize
64KB

Download
memory/5788-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5788-518-0x0000024373860000-0x0000024373870000-memory.dmp

Filesize
64KB

Download
memory/5788-486-0x0000024372F20000-0x0000024372F30000-memory.dmp

Filesize
64KB

Download
memory/5788-508-0x0000024373050000-0x0000024373060000-memory.dmp

Filesize
64KB

Download
memory/5788-492-0x0000024372F10000-0x0000024372F20000-memory.dmp

Filesize
64KB

Download
memory/5788-502-0x0000024373050000-0x0000024373060000-memory.dmp

Filesize
64KB

Download
memory/5788-485-0x0000024372F10000-0x0000024372F20000-memory.dmp

Filesize
64KB

Download
memory/5788-501-0x0000024372F10000-0x0000024372F20000-memory.dmp

Filesize
64KB

Download
memory/5792-234-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5792-516-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5800-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5800-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5800-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5904-233-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5904-176-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5928-500-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5928-219-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5972-189-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5972-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5972-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6048-507-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6048-224-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download