563694e1eed8686779c942957f5c0b6cbfd5cf54fda54bd888a2732da4f1f0e6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
Size

5.5MB
MD5

a0416cbf1dbbe1a80970c5514c5a0fbd
SHA1

e4402c4fd64b1dc6295ac6f388be89a110b562ee
SHA256

563694e1eed8686779c942957f5c0b6cbfd5cf54fda54bd888a2732da4f1f0e6
SHA512

2aed618053bf04614515745e0a9f24d9b05551513c6b08c02b224f28737c0aef6c0b71f3a855a2bf1057362d1074b3946e3593e77c75923f1c516338c418eeb7
SSDEEP

49152:XEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:DAI5pAdVJn9tbnR1VgBVmp8F1b6TwY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2144	alg.exe
3368	DiagnosticsHub.StandardCollector.Service.exe
3552	elevation_service.exe
2836	elevation_service.exe
2316	maintenanceservice.exe
3112	OSE.EXE
440	chrmstp.exe
4792	chrmstp.exe
2828	chrmstp.exe
3172	chrmstp.exe
4228	fxssvc.exe
5408	msdtc.exe
4592	PerceptionSimulationService.exe
5768	perfhost.exe
5868	locator.exe
6068	SensorDataService.exe
5968	snmptrap.exe
3708	spectrum.exe
2332	ssh-agent.exe
3076	TieringEngineService.exe
4300	AgentService.exe
3672	vds.exe
2660	vssvc.exe
5312	wbengine.exe
6060	WmiApSrv.exe
5412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b7ccea0102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaw.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{78904BCB-E140-491C-BF0F-5887E645688E}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000256db87c2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079e58f7c2290da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029ca367d2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2f7c17c2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000540bb67c2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a94bf7c2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000256db87c2290da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000197fea7c2290da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
2728	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
6036	chrome.exe
6036	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5024	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
2828	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2728	5024	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe	88
PID 5024 wrote to memory of 2728	5024	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe	88
PID 5024 wrote to memory of 4384	5024	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe	89
PID 5024 wrote to memory of 4384	5024	2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe	89
PID 4384 wrote to memory of 4956	4384	chrome.exe	91
PID 4384 wrote to memory of 4956	4384	chrome.exe	91
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 3340	4384	chrome.exe	94
PID 4384 wrote to memory of 1336	4384	chrome.exe	95
PID 4384 wrote to memory of 1336	4384	chrome.exe	95
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96
PID 4384 wrote to memory of 2724	4384	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0416cbf1dbbe1a80970c5514c5a0fbd_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f8,0x2f4,0x2fc,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bf5aab58,0x7ff9bf5aab68,0x7ff9bf5aab78
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:2
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:1336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:2724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3592 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:1
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4200 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:3364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:2396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:440
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4792
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2828
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:8
    3⤵
    PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1900,i,4170502972185549631,4703140511602897687,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:5312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
73be468443af55d20bfb075e99d89ce0

SHA1
fc30cf8da699b02d36b1ecd2e33365ee12742a68

SHA256
76be8a5cc88eeb3f1cd751c58351cf7f97b2d924b34c117b7039bf250d88725e

SHA512
beeb50cf4b5bf579527641cfeb976a0ec86d2a3a1d9ae36f9414a794a4ea4133e484d54cdf2ebbe47805991a8669c5a17ae733db7f1da6fa3e9f80f71acbbc1c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
195abaa6f0dfedd791f33cbe1a1cfb78

SHA1
470b92e23ad5ab6d3b1c47e29d0d229576665337

SHA256
3c65b41d58e4cd711074ca1c019b0d267629088122a7ed6a69d6f58ec46b4258

SHA512
43345447dabfbac395be005d1446e3c3963de356822f100451b0c34ff51e21ea72aed721850bb60a1a2a348cd2968b87ad4027523f376f1a5fe6132de860d4f7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5e6b91ca51e21e945dd45a4980013aab

SHA1
c46a12b4e7170097c945c420323c6152ad3e693b

SHA256
d4efddb6f592afae145d97ec6a0d39b11175312ef007fc596b3eed1d34999164

SHA512
b19db14b378236fc95fd0d8d25caea244426c787066fba42c9eb65410ad50d9a5bcde3cfbf323d1469f47d5ff510af7e967e34d3d8f26183a3126a8a5cffdc04

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3dba091b38ccda01e14e5b046f603f61

SHA1
4ed39f7c2f94a92df38e1cc6a9ac3762e9179738

SHA256
bc23decad1a5be13ca18703fe48be11ee222f7e7d4e2f83af6e8b8f193ce1fe3

SHA512
a679e746e681c8a1fb89da61b072f11ddca745ea5881e0cd888df613e9b9b638090a08296fb2f15a8d1d06189618cf1b133f0f42f5445e6bbea38e493a9d06c3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4cc6bf2d60af41cb7da19431d7c036b1

SHA1
b81fa7796a25fc6fa05048b45ff55679d44ec09a

SHA256
9e6fe254a83aeafea93b9abb32755cf33dfd445139ccccb17647cda567fbcd9a

SHA512
d15cd748194a68dd96bdac221f5e4528dbcc1b0d53a6c114ca87694aa49dd29f792a8e92313d25bdd7941fcb291539f1d80a15ba7e1032cd13cc25deec8a9174

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9c3b69b94af6bd74510547270163292a

SHA1
b98d95e818cf4f424f78595b3298e29e0c0c10bb

SHA256
eda7a4ed8fe8b02372b448505dabd9f7ebc03ff0f428925a3bb02686fd9b1c77

SHA512
7cc60ffb6d7eb1b427d9ff665f98473996284ec6e339cd35296bfc95d57842ea47e230def09dd9322c04cb6aabc1df3be90fb8f928db09ae4f21d83915c60b05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bd42cfb93c87249e9f57b80d8db4ea85

SHA1
e7498eaba475715c012bbb5f58749c26338953d8

SHA256
6d23448c478e016b62eac21a3763d72a1eaa7fb3f7c80a6601a53270520e4ca6

SHA512
f3f0917ac80a7297235b4b51e49d05d39bc86d2a3ef3befcc970d0eb278e9d7773898293c0a9b7d8e6652be7e696a3ae6b71b5f783173279352bacc1e45248a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0aa0bc37354ab89263e49d99ffc4e711

SHA1
0b0cdebcb92f7154c73544acbaf7eadf3b854ea9

SHA256
b60e2452672f776e72e5cbe0354261c75dfdd241afc368d51fd9a9f4fcf96a3c

SHA512
144fe296da77297f71d80a8db5b58ff6f62221f6616efa531fb0ef946d513583220e2a521ed709f5dc097f789f5a3d713dc7efea7c1247809bf42b171ae474cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dcdd00fa2e238baee6fafcd9f3ca3160

SHA1
2b5d70b9e7af96cc2fec0813001cb19b794c30f7

SHA256
47c211c200e6f1b5a1d7184b2872c5e7ab247647d961cd7377707a2e897861f4

SHA512
52d3ab6a4fa68cdc4a2cfdf190dde61340221fae63c17e3adbb678ba8a86da3676830b9e7ddd9030f0e21e7e389e6a005dfecc446f2ff8a49d937806e95f9b09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cf6727a58aae5e639a9b517e9361f92f

SHA1
5291dc8f4538168cf061864baf4024958acec7d5

SHA256
b3447047b977bb9e90e3506b2e262928fce1f541932e1b534758aefbb4db37a2

SHA512
776e1a1222426bf3c777bd6916f7a5578a5ddf2a3247c76eaa6ab402813e021f018590df87f0245c71bd33f359a39c1cdacd1430a78e959713c8fb7328f59477

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d321ea527d89899ab43d775450f338af

SHA1
470303f0716a23b354463ef19b4de6d7e3ff60ee

SHA256
d17a5fd7b7a44fe1545f74117c4b254db5c7bc6a36562f0f2f22bb7fb9ccaf20

SHA512
9c4c1bf2498a5b5ef50e4908da5f25d9792ab85ea2881f384c7c6cb5def908365109f4a32f2d65aab086877164467ffba0460ed8faa644941dbd9e3af51002e3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
968405e590cfd6f12058d0908e0d032f

SHA1
b22453282cf53ee3a6e89422239cd2692bf3740d

SHA256
843e15415e7de5ace1ba5d8eb41a9df75bdd0b4d327b7490f384fdca2b4fc083

SHA512
168e28d82031cc82535f84cd4891059ed284f89f2071a3deee4b291c0ec28db96834737ec6d95848ba0ec638c81a306ed0bf743423e30609b1b6d2fd8018b831

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f6db7b8ffb8cc46b7886c2f8fadd18cc

SHA1
7d2d279d5a6351e51ba8393199cea6510a6739e2

SHA256
ebba980f2d708100edb935f7e39f4d873158d24aed65f49f1e7182c371c8e118

SHA512
ce1c27f10ce6d58dc8f61d7df049a7f0953c2d2eabbb0899bfdd2c046af801463877a0a8fec70a7c3ee6cf10567de0f1bdfa263345d9eaddbe31d2e9967c3305

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6df8da424ba82bdd38795cac7a26ecea

SHA1
0aa6d0828ff539fb2185eb974ecaaabb548eceff

SHA256
8263911228911a437d5712b25fbc4a9e775425687a3224672b052b73b8fbc7ca

SHA512
cafa3cc1ff1c47e31cbed922ddaa814163271b79735a90dcd37f3e6292254401987bc12cf190ff1b17a8ca4faa0b754b31d37b80512dbf3d1a4560677228316a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5fef1ad3c8aa084894bba5c587827d36

SHA1
59a4570ce50a544b921e8d4ddc4902f2ce92281c

SHA256
c1c69d6e8678b6ff7129d8defe7fb01731d07784f5bf1b0609c68532babb5533

SHA512
8facafa1a34af14ac49e534d127bceeedb691adc17b356fe8f895c26f427404aa4964005d5815153137e192b849cf1e0944a40865049bbb36f626b2ce0f5eeea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b5ca56510b4dbecd996a60ef7ac269b4

SHA1
5dd20d6a2d499f6e82226a4a3e8b15a431a09f77

SHA256
7130e59a50e3eccc6f525507a245b8a12233b84fe966fd7af8d7c367fd3aa71a

SHA512
e1de307f01549ca323e4fffd57b90b1e79b37867bde379ca95c46a4b61fcedbfde4104d7b2e758ad5a3285fdad6f43854dfbf898ef066bf199c677983ec0e1a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
88c639ba3374ef4d3f981416137995f0

SHA1
09b2f18ceffe53a02f2d6b89f96d54713147bd71

SHA256
8e852dbef9044c10e81e18eef1e5841f9c73df89cb342a66053d154cc2911d58

SHA512
40ced3dc7b0114d663b2e34e834f18f05ec6af526d9997153ae27f8e048faa6028a22d3a285ac8ec3118a8118a27b050751704a9e3c68af3e821eb03ca7a5e62

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bbe459f7b1fe85456b10235b9c7d71a0

SHA1
ab397efc962553059256fbb57604185640439de4

SHA256
8cacf9304ab5cce7c255d9530107fbc2ab6761368d14caa563dacdc87310aada

SHA512
5c3aab1bc7570feff3602ae237e874294e78e419afa871e78dcd6c8e8ceec1374bcd5ea76ce2e30cfca2f119e1f106ed404ff4ae1fd40a14aed7a3ec7326b2f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6f7c35c4785d9b138cda3ffe43046f51

SHA1
808e4fde63ce2150acc7b27798670836baf90c2b

SHA256
7c0972ed6126dd434c405930ac33c8287ca054777dd9d4b090070b67f73a94cf

SHA512
7239360179736cce23cc384862664ff6ec1487f7db727facf8c8796cd1d3547d0347eef03f3fd8d0428fd4aef276962aee05bbded1afa829344d6f718d4c4f66

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d2b9b00d04cc2aba58476bbfa13d4ca1

SHA1
00f4be3ef3cf73b431557f22b0f4192cbb6820d5

SHA256
980f411b3c685477a2b1bf4498bbfd63f1380639812e1cc9de1cf4824c3d2d4f

SHA512
0f2f0ff7048ce7e02b0420b7fa19dcc795963caae9b9097345ee9a30457cb6b8c7f209fb036e8772c5eef6eb4faca7a5e1fc9d1622de4098344bf9cfe72026e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
36e3ac5f6ccbe5c81943e590be6d94b6

SHA1
545a9f23337e6b353b04c3e152519dd85e1e1dde

SHA256
0838d9a7f48d0335213b31949d5b52a7e94ff4086fe842427247187d22f78e9c

SHA512
468e714ee8951e1a23962012b72793e57d138906bb54d08ae922da4bb7dcbd73d5c753600f8c504ca8735870d2b514ef45ed7fd243a901eeb044e1155e9ffd2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
699f71cb45c005637257b5593e61252e

SHA1
058c4d0608d9610393906aa2f47522dc9adcc539

SHA256
cab9737bf28ef4b997cbc6290208c6f1732a5ef670f2249908323d97331a4b53

SHA512
c18321f45060fe0f6c57e7554f49466e82c4d8126b8c3010fac2e235e6c431eac69a97c4097657d3c7d05d334da845f6ff3e3a39e8d4f63282f59e6d6271f451

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c1828d9af63e1f2e552af12c62c3e3c7

SHA1
6aca084d42c18a36529f95c117718554289f974f

SHA256
26395f89be0c2236e3bd41ed43aefa56315a061ad00967b26e59565d79a54ed2

SHA512
0927f661b534ddaea9574b54f61f613408bdfe2ffac5c7153a622186535050828223d5f1eeab94e520d055c8fbf13f868ce274daa4a5f7808cc0745cbd0fa1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5b232f2ec5e33f7709f554291a0582c7

SHA1
8e09d16cdefd7434b6626535778c4d6aaa94502a

SHA256
539b48bb8997ee07f386d39e50b64b6a7f14ae24e0fd7c49a5d72e387860d5b5

SHA512
570f3bde7f527c8af2cefc04c0bb7d9024c2836b328a25dd50546cffc192d8256a276c6e8e07c0ca5afe06af86b819569f25ac6213e006588fc7edcc95e24d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cb4aee8e35b5b36d9c83a19f63e8839f

SHA1
81832bf03330c8bd2811178f5dd7de0bd3d349c9

SHA256
eb8c6c6bb26e1a175603034995d87cc97197716063b6b6d145f1372c076b0efc

SHA512
b26a572e9593598af53dacde362d40dcc7477092a295c8092cd9ad54a4d693f3b625d5808b153d06a8c28f5946463912a89dc6bb25d9b3eece39ba70947aa2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
259eb96348c3ae8e0009491bbef893cc

SHA1
6d24abfeb3cdc1586082feb8eb568038022b5f48

SHA256
83aab301f2422b30e5be7fc91f282423b2c8d73534bdd93aa982ca82bb485dd8

SHA512
9abfcd3d1b74d459b0fb504de068cd0c386d837fd13b1d0b3dc37248b4c50dae5e07d6dc0ea6f6903caf35a49a94d9f947c3a60f0885f390da250474cd97f751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
50a481631b0215d30b0617feab42ee9e

SHA1
f1fb1d2c9106c1e5b1a17725fcc3952d740eba09

SHA256
b301dd2ea79bf7a0dacbd7a975c3ed5c7b72054b994de2d1f3dd9ad2468a501e

SHA512
2f7e6149cc64ce13359afa05a7064a12afb11b0d4c3d4d70fefe436a1a63e3f8065597f32566046ba6b027cea785cdfa02c846bbb89a5c32c380505b230c4613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
053da6ac2b40a6d3c4b3bf2bf73a165f

SHA1
b253c32fe89d4794c529eac60045e3500ddb92fb

SHA256
2629d9ad1e495e09f9b30666eacf5672eed43f7b3806a6c5ca23e55ca17dee2c

SHA512
b70e31fa988be50e69eeadcc8128b890f11f40ad185faf913040aae9ecaee96ce7e4de49de5add8e5e5686d53bd0f4ad5f770aae702f1ba95fa1d34b37ae72de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eb8cded06a03dc608dbbe0cb52ae9b65

SHA1
8735fd213cb98e3210bda76ae035cd70cb60bbc4

SHA256
3bf29e7876ae005dbe380e08ebbf0827d368b0dfb15c2748c4ee6b4fc3a6a768

SHA512
30263a278a76c2269b5e71ebc50a2e2cfaa5a97a337ccb358c493cb35983ef6f7602950e343aa789f7079e1b04ec31d2b5e778379a93ac3817f5180a8103b5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5760cd.TMP

Filesize
2KB

MD5
4b293ef6e36074d11d943e6699266d96

SHA1
c59e290054f47b0a4afb481a1f974ce5bd4d854a

SHA256
13713350069ea503b433abbd2932f6a25aad6afce17c2e0c3a0f787b58071054

SHA512
3238c301df585a7499d814c241bb461ab4b7a5e53ff040836183d3f8d07a3aece36d6a5f21f55a6bd69dbbcb913911fd1cd439a73de08143f809d4dd77f49009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5a209fb94faa59fc8b8dc7ab85936043

SHA1
f058b58e4a4a16405c9da39640168070132f714d

SHA256
8c5f15871f9f389fe608093deec7e8ae8a16022092d1afc5cd8f7626a22cf1d3

SHA512
b7d2f3536d675a5ef68a85d11ec681870ce6d691f2a0b5d47f0ca2bb6fff5c8420e5e7412628279ad767ab66c66368eb9d4229c8d8a0831fc3690be9e840194f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
b7a6503aba865be7245bc7044f0ca19d

SHA1
ed51c309329e1d23990251db71e51a5ede948e85

SHA256
c97de9daaea5ce2f7f75a8adb7ffd259e1f95b6c23ae3eecc04df29b4daf3c3d

SHA512
2ef70139be30470a8fb15b954863d07ca188bf7e93d9a629f5765e4f6804036ceaf9c003bbaebcc4592d8c63f619d1d9dec96875d35e1421deb6563055ea3016

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b79b8b47507415f362385c0284dcdef0

SHA1
e561b2e8aefd5a07a862d0d8ec5396b4b0d6b2f1

SHA256
45dc3f1e08051d98ad771856129c6d7116e31052f629b12ba4d3ba4a284772cf

SHA512
854582fac21801a4a84ea1e1ff681e3620128a3a68ec6223ccd2e7527cbe0f04a66ca1738e9cc4baf187645ba49ad1933c03b7262651d5edaae5d159adf14c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
671923cc1b69284d5fd57a8e2269bafd

SHA1
21329b23f21b6a92dab276d74b7f48a005ad4b0f

SHA256
2457ec96c48b905474a64c94a511a937fdb5b590414d6b10ef1804d6d8ef72ab

SHA512
863e1075364dbaef025f4a0f3ca3515f8eee92423f1479834e208eef3bff96104a6f703a31104a019bd4fdda52d88c1c1c4eb35aad151a7bdf5b345023ebe34f

Download Submit
C:\Users\Admin\AppData\Roaming\b7ccea0102ae222.bin

Filesize
12KB

MD5
192ce898a20b25c8649b88ae7b326a4d

SHA1
3f1fc6cff233ff921177a7c0f370de116b3ee408

SHA256
50e0606b0577e8b473f51ecb203c1a498f3637e0e3e01ee278d86add7f762df5

SHA512
08bfe07994eb2dde3495aa35c23d543faa44804746e225947b07d3592a754b7b13c6728ed27af92f4cf2d3d63179a7833e86abda2f14183687caadf7015e4e70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
526b760e5bef28db08bed321d9552658

SHA1
314159bb212593dbaa5720c0043c0f1a776f465a

SHA256
5ef3c5ebd588729220b084f52901a687afb75ed62aebc0f7d7d20116a5467215

SHA512
ef6eb4889c5e29e6d50511110a5dec1a66e5f68325bafabc401b58bf51d0e5c75b18229e07a37c0adac6a8ea1ab9d465bb9422a24073b8c8ba81de90dcec3e4e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9dad7092f7efa9b992c911b129dd228d

SHA1
25b53821f04c67f26b81a2ff77ea43c2d706ec07

SHA256
782adab49cc59b85ca1e90b3d603f211d95b2c88017ecc6828ebdcb15b133234

SHA512
1dd6c1d1ddf70565f03d565fe509646a2381837df7ef42a30046a5f0054857cc16237391dd33948a112c987feb60b1d0772d8c8ec32fccf37ee25daa64dd4645

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5f70c61c410cc667e0bef88586e156a8

SHA1
1dcb748cd84f08117c62c26685522c8365b12882

SHA256
a7fa404668a229a84267e68b6969323e074e6b7aaa1b9fd2b2d07849f26c3007

SHA512
c60da5fa016b0bca057adcd6fd5dd4df7161b466154f061ddbd56ddd185dcd04fea1d963afca41dd51ea8fd6e4870a4c497b0a8e8e2259f71ff36ee8718ae221

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5159b618358141f6eed0bf92a139d04f

SHA1
1637014d5ab1748f091a1bdfb19d24ab9b7f08ba

SHA256
69aab1bfb727060e6bc255e50a036c3e870bd8eb75a33d5ec51fd69d4cd67e88

SHA512
15404311b213ddca5caf21465ea62041c94a781ec9ce36f146320c3ecd4bf55c11798d28a29e72865850175b9e0c7358089b61a4e85dadcb02d1f801671dd411

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ad77089666f333e415beb50f3d982d45

SHA1
fb469ea99700cfb9b73439621b2eb522e4b3d270

SHA256
bf59530dad931e54aeb0e5c3b5e55ead9efeef970377f3f6d5655524653e48c5

SHA512
e3250297d1518d326f96d11abe86ae063b05a1911bd4c51b8bcce768addb1dd9312434bef7ae7ede28e8fbf049ca12640fc05bc3b99806fb49577d353dea1c5a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
655ab0b0b09d37e386c746bb5faa4804

SHA1
411ab8ec56cdee315b719336ebc2d7f650a5c8a8

SHA256
17a6816486cf1c82471833a172ba14c632f3b3bf033791a9f21793301efb8257

SHA512
920aa37d0afb7ff3717ccd297d06d02022bfdb78f2938e5bab03ec6c426fa2f911316327923397be2db7fb29024db43175162c38ec6e6f279b225157d5654fb4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
40d13f02a659d255f92b78d7d9c51f4a

SHA1
0ab82f46c96f5d058f1eaa9337bd3ab44db8d7fb

SHA256
08c3d86fa4089a44ded09fdc17938d34a082e2847dddccb9e44b64a430775cf5

SHA512
723e34dc4f81d2d512267fa72b41b8f3349e7a17e354b7b626a004b29f5372c6df06f39c7df67909646aa7cdcb8667e33bd9bf6e55a0c21f6c8f35e02d108f1e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b92afd70a16733edd52a3d43763d2ac9

SHA1
7cf51bf2ed084f78101ec9491514dd4f30c1a464

SHA256
94a3e70067ba8e0532dc0afeeb531f14769d1bd3ef0f92def344be742204477c

SHA512
bfe0634a4c0a97aa0b90d516bc697ec46df3da98f351cabbe4b28495598837f4250b168a84c7d16a0daf0e37f09947a64a39be34dd468ba02d26d52861344caa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5a9788fd2cd888407bc5313eb2ef9af4

SHA1
ac1b03f38d9eb37de3ba228640e6e0d1aac3bc3f

SHA256
4edd576783db454c750dc6200e976b834845d1040b8abee4404cfeb5c493ffc4

SHA512
8621ce3aeb6e399660a61fa4d438a1b7fd6464de3d3d95ad31cbbbc561fd7fd43ac85fbf52a71842dc372172e310db461e9b5edfecea18a9cb1c3a643c3f57c1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
646abb5211d0fc070fe2ea16d5e80fe7

SHA1
e2b079313ef9d42183a6692f26ebd1b5e49930db

SHA256
9334bd77813f6dd1c912669420c5cb442d0bbf3dd0e4fc24db9642a26c4a975f

SHA512
5d83715efd10bf4f1293c359c7a7f2751fae35b9013e13fb56010694664b171151c488cf0348b4f1c6ee52a63242f85717439cc934c35b6604e1aa923e259cd7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a666f2d36891d3aec547b7a3de8e5a73

SHA1
7eef9de34bf86a59f1604deafdf491ba28ea9e67

SHA256
448fdcb1c164ccc6197542c16bf34422ad968fe660b15e256746c0eb96c0da37

SHA512
93ad3622596bf430c66f09d3716d9d300820ebcf7f93f26ad1e563a352ad16df9e05f6cec6d6ec56242ba6aa387e8707e7aa614b09a236e3c5e660d324a96cfb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ef83a1f7535af795f2b0929d72c7065d

SHA1
b691d5d41f9bbbda80663321bafaba0672cb74f9

SHA256
5222c818d37b8b8b40a5268d64d25c4b5dade4ef9f710144f3640a8cccd81df5

SHA512
0c443374e373ce26cfe3fb587935dc49d448bafb99dab45267b2eb00871372aeb05325a797ceee1565611625189ddd7c01f24d81da2d4d8a9ca77977ba668d2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fb53ec89a2d258d0b2343af434e048e5

SHA1
19d075062b1613306206fddbe5c827284ebe32b2

SHA256
356ce1031e5b5c369cd8fd44fac0c5c2686adba56392ab0c5159c090a0eb8c5e

SHA512
01e5ecce3b1723f60759c47a87f45820239cd02e34b91223550a0c94325734b9b590f0021831fa41ab4f0314e3c45626f40cccb4386906526c60b64e96dd2332

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ed69590e3f476028bc397a31819c1a75

SHA1
526ae65b07faea2d24e98a3fb20a4def978ff012

SHA256
51600ab9f17f9d1107a48ce69f3da2d9455addc4e5d1adf0d69d73c4a2631d32

SHA512
3e7e2e7e23ca6f71631161bea1dce10d24c9b0c5f8abee07233e3502e2af1eb6c9338d382296d0212fb6181f142f88aad6fec21ea38b94b26590ef47d7dc918c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2454cd5019d904ce788a88c19e519baf

SHA1
b6e687828f44b6d15ec56c6dfe5b2fabca9c9992

SHA256
4c1d323029a710bdb5ddab6431154f5c39e0c92a23406968c91141cb4ca565dd

SHA512
be25f0d0a413022067b2088f6d4dc2631abb60dc9de2a164d4482c7c4202a56e6b0350204d5671cd3eff44adbc25b79abc5bf7e28d0f8870b1cacdbb49c2c5a5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
25d51215059930300e592e46d60c3468

SHA1
23fc5902af6e5b344700250c52a0a030d11b1bba

SHA256
f0942a66afe431d6146e73e662aa1ba463d7fbf566ab71eae3868feaa6cc2e48

SHA512
5acf96a09c9f122a7371991bdd1b3f64968525140aa5650772821765aba494d0a5fa51f73117a2712265278f302bdb8e3339a367c2da1a69cf22ed24055be590

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1c8d68ff908816cb0de900b4373be30d

SHA1
002fc35b162f1aa45651a376c2fd0bbd877c8d0d

SHA256
5f011d460be1d9d2762db26050a966b38b67a1af6821f684bc2e780932efc523

SHA512
7601fcc1ede4ee5d2a93934e64505209740ceadf847d4ecbca3487ffc1dc8d0e1f9475becbff00937e0d998d9032e35aa9a967557378721432fa7f28c78b5b7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
41aba969caca72b798190aca1e55b685

SHA1
11b5f283e186b691c8011563b78445c28bc3ca9f

SHA256
25828344dccdfa1d7787a8edbc50a233028ceb35689209ed843f3371bfa8ae6d

SHA512
cfe9e3441f19799d513358cbd91a94bbf847803f33e30136d20e4f1008e8119b53a080f362d00fd7121cf5327bfd5eae860f36d6d53aee3ed5208c474bfa8ba7

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
46d8cc58fb75731c9c27c4055e530c55

SHA1
18b641a0a11806aebe197434dcd1f9fc4ea5e8ff

SHA256
496b542f566823fe4d1751c9c2cdd1cc897a1551cf82bb555cb761453c8b1a1e

SHA512
9f63ba75dc3cdd655eef4dd803c8769c8d4e2cace36f4c4779656493a55981c81b68fab3e100dc2746708d9b738ed4138d8eabf2655adbc5ce3bfa9f2d493afb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
09d11c23c86fc8a6bdc9f6dfd2028bf7

SHA1
f643560f91929460473599461618c5e7a5d2aa9d

SHA256
fb90bbf7ff3ea2113b959991d56f3d3362b41d5baf346631de8940bd80a82209

SHA512
76ec841b25e38c218c839f65c1ed48e5826153b8baba92c7f0bbbf05941d810f7a1663c8354525e764aba7041e8e5e70d577d8e79a0898d727e66ccc5a635aa4

Download Submit
memory/440-305-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/440-311-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/440-376-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/440-377-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2144-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2144-105-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2144-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2144-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2316-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2316-94-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2316-111-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2316-117-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2316-102-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2332-575-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2332-586-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2728-109-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2728-16-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2728-30-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2728-17-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2828-341-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2828-333-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2828-368-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2828-367-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2836-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2836-330-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3076-598-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3076-591-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3112-128-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3112-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3112-387-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3112-114-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3172-353-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3172-424-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3172-434-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3172-346-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3368-57-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3368-303-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3368-37-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3368-38-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3552-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3552-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3552-103-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3552-62-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3552-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3708-563-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-570-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4228-480-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4228-481-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4228-476-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4228-466-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-604-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4300-613-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4300-617-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-500-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4592-509-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4592-560-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4792-326-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4792-317-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4792-421-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5024-43-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5024-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5024-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/5024-7-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/5024-34-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/5408-483-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5408-492-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5408-547-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5768-574-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5768-517-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/5768-511-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5768-584-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/5868-530-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5868-522-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5868-588-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5968-550-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5968-556-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/6068-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/6068-543-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/6068-602-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download