3d8bc487164ce0bb9ceadba638fa7436e086cdc93a25a0fc6a908d816c53ef44

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
Size

3.2MB
MD5

c0feb97c2d3c865c083f68a9aa4a8811
SHA1

bf8258127be270034dccf2e1215712895737bffb
SHA256

3d8bc487164ce0bb9ceadba638fa7436e086cdc93a25a0fc6a908d816c53ef44
SHA512

c9c1591c2ffbb8e539aae2e48b9e77ba7ecf2267e160d86a8c249ffcf1e1689bba51432c5dc98766077ffa7af184ca8ad0113ce35b85a30dacbde69fe8c68be4
SSDEEP

49152:x5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbw0TUqydYNttUslCGGTrIR:BNhS4Yw8yVUtRM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2644	alg.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
864	fxssvc.exe
2688	elevation_service.exe
3832	elevation_service.exe
1296	maintenanceservice.exe
4368	msdtc.exe
3664	OSE.EXE
1452	PerceptionSimulationService.exe
1400	perfhost.exe
3292	locator.exe
4964	SensorDataService.exe
3648	snmptrap.exe
5132	spectrum.exe
5344	ssh-agent.exe
5648	TieringEngineService.exe
5836	AgentService.exe
6028	vds.exe
6124	vssvc.exe
484	wbengine.exe
5708	WmiApSrv.exe
5424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4664306c102ae222.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085e5bd0ee393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e832cc0ee393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c85d760ee393da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009716920fe393da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009749820ee393da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d45df0ee393da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
3440	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
5660	chrome.exe
5660	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2980	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
Token: SeAuditPrivilege	864	fxssvc.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeRestorePrivilege	5648	TieringEngineService.exe
Token: SeManageVolumePrivilege	5648	TieringEngineService.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5836	AgentService.exe
Token: SeBackupPrivilege	6124	vssvc.exe
Token: SeRestorePrivilege	6124	vssvc.exe
Token: SeAuditPrivilege	6124	vssvc.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeBackupPrivilege	484	wbengine.exe
Token: SeRestorePrivilege	484	wbengine.exe
Token: SeSecurityPrivilege	484	wbengine.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: 33	5424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
5552	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3440	2980	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe	86
PID 2980 wrote to memory of 3440	2980	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe	86
PID 2980 wrote to memory of 1476	2980	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe	88
PID 2980 wrote to memory of 1476	2980	2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe	88
PID 1476 wrote to memory of 4300	1476	chrome.exe	89
PID 1476 wrote to memory of 4300	1476	chrome.exe	89
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 2492	1476	chrome.exe	93
PID 1476 wrote to memory of 1260	1476	chrome.exe	94
PID 1476 wrote to memory of 1260	1476	chrome.exe	94
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95
PID 1476 wrote to memory of 1016	1476	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_c0feb97c2d3c865c083f68a9aa4a8811_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c0,0x2c4,0x2d0,0x2cc,0x2d4,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8e4cab58,0x7fff8e4cab68,0x7fff8e4cab78
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:2
    3⤵
    PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:1260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:1016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:1
    3⤵
    PID:1444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:2460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:3088
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5284
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79722ae48,0x7ff79722ae58,0x7ff79722ae68
      4⤵
      PID:5448
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5552
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff79722ae48,0x7ff79722ae58,0x7ff79722ae68
        5⤵
        
        PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:8
    3⤵
    PID:5952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1920,i,17579244201114649982,1726439167040679334,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4368

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5132

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5380

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3437272220282418942241e934d88936

SHA1
e926f4289020dfd28715cbb8ac67b964ad210da3

SHA256
be713ccadafec8364535ae310dfa42c872d2a37b3e61c5590910594e13b66b40

SHA512
dba394ee4125a4c52f4c74f2a6d49583edd091cfd8d834f04d3d19f20a92af56fb5dd8f349eb8c83a6f8df322d79f3327e826a6c35c22a988eb4ce2cc3748e14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
69e444f893d668623b9647d5d08bf422

SHA1
915df0eafb5dbe3f9f13b059a7eaef5c67e0e1ba

SHA256
83845d89a485830299f67954a235d3c50affa1f4bc4acb25c709b61a864f9e78

SHA512
e096a9f82e3445be84d08e9102d3f41286710808994f191e48373cbb1d72541b70acb1abff3e0b0d5cb2bf7c9aef851a1b03f1c5ad1301f5e4bee36fada9f151

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a4328aad247270646e708d7f0ed9949f

SHA1
77685697912c018eee669ed986069b46da3e3201

SHA256
f998a2f8a11d32f95c2e1fb96d3dc64552074d9957ccd91b9afe31132c67f20b

SHA512
605b4c8098b3cb78052d31bde48e6b72bff77919219df19cb8c70d3bc0f416f7aad31e7eef6d90ca3ba26221d89d6a22b49bb3e8073f8ee2c806b6a457033796

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a33a078c23462108ce3893e8407f7b56

SHA1
d53c27e42eab8567454086184e7977c6d17626bc

SHA256
23fe3226228514a11e2f36d1702ebe7958aae1fbfeb498dbe918e6024dd928a2

SHA512
7c6dc8180445296ee2fa845cfceb5bb869aca6630ceb5758410923365dc94df1d91a18e4bec5b4c332bb02099b66e5981915d953bc24410126ff82e06d3998cf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cc2678b1961ec92d1c4b26d0209f457d

SHA1
65ddab5ee0a511d6c82c22679a09016548253af5

SHA256
22cf435839a0760f4595ee5448b8ae46d3272aecd85616f63007a239ab3ddd0e

SHA512
3fc51983947c14c210636697a9ccdaea59bac1759ee797e242a53c3a60d7a64a683f3c61b2aaecf901753ca50d0eae3ae64b501c9cb5821fff1020ef2d948909

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
893bcb15160204285d87e4532caa4b23

SHA1
b635d4b404d0c58527d83014091d1801cb6eabb2

SHA256
428d8925fc75857a60c84bdd6708b86bff81ad3e611749496d6ddeff7d349bd4

SHA512
0f0e7e2eea2afa2d0b9a47bfd996db70220ad13e3a0b98d98ad1f9d756e48c29464bf75b489537320ae1e52a9e0c191f4f9c05ec8709d18e7216336f7a0804e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8abddac2e8c7b5f946c308b2edda6485

SHA1
d8057b606a8283dd5d70b9cde1203e37d206ff1f

SHA256
a7e599c6e75bcbce5c585455177364c95502a441080564c4a340a37ddcb2c415

SHA512
8055803372a4b9b2a7ebcbddd98e52cb252dbe50a8ef900aa03dfff92b2248c40e891aa3560ab3bab1094a2914e5c36a0e2b511916837a2ef2d77a8a20765e0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7e91f99cfbc4a9f0a11d2006a45edfc3

SHA1
acef364f7bb163a73b26953c3b2f2bde63cabb21

SHA256
04a14ccf134b1b971c5ac7534a9ce81501a9a03d1bc35283e4c75f3ecaed8556

SHA512
c0bf1ff10c625b30f87b776a2aa10f798a12748da6fc046df2480ca3013ef4ba61332f8fee1bb63db787683731bbe1c1f15d8fe7f6b01398d73d5a66a34a002b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cc06476aa5b684b50a4efaabdc9e8598

SHA1
4e096204c8b168570b1af2f1e2824b64f06ac67f

SHA256
b9284e8a8021aa15fdf45d552de4cd6b1cafe54e5775cb375eb58d6a9670c5a9

SHA512
5d9833ab10eecf9850bfcd1265691e690aeb6eab69d132377ab7a86557a027b70171574e94447714d546d76aac4832db28195132ee8c2f1be9d893a45ba19925

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9bd6433f4ad96a0c516fdae2af06e181

SHA1
9ceea8773d70cf2c4048f9a9f65f6a08bcf213ce

SHA256
f731e4abbf3c6203bb6146d3ad85290f8debf1bfd92c15494125153e09e0a1f5

SHA512
51f03408cc813ad997c9f0a374c72dce68a613104c7d95207ef826cdf55418aef998ccd283dae4463eb49bb144b0924aba2413444949631d73748457c9239ed2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b9cec34c02f790ca566f7e0be618682f

SHA1
2cff51d88b34d576e73aa972e631cf8db84ba2eb

SHA256
74f5c2b2675ea7f504c7f81e65db4a082114235d5fa454b09b29265ad6380bb1

SHA512
64471873114882532b7e2b07044ba50a0977c2656a0bc6749356ad23621d301a0e35d90e4dfd1adeca1ce9b163fc661f950a31b39fb4d9d8dcd91801f35e381a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7ba62b5406461d98a549688d3f58c0d

SHA1
50522b81307e38829847cd6e13046035990113e7

SHA256
70540b51215b11f7c3fefbaa84cb8ed8bada1881a506c4dd89191557cd3b4e70

SHA512
7aaf38c235fdc24d3bcd01a2aab10e7d17f659fdae1533d53a351410a1c1f33a5273918eecd4db48301574f90bfb3ef609a41d22623aaf0857fc67b483961c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c7fbccb341c9bf3ed911f21a7879d0f2

SHA1
eea8df978bfba83c0f5bb7882fb93729f9da075b

SHA256
6f24a346992ba2fb64000e16876bc0a5a9c1cc468bcda56bb71e8ed08dfe0dd4

SHA512
379c0414700f79afa61013911ea77a5bc869d9f1f83d1db5daa76dfec18b69559c05212135c98f9219ea3e8c246b197e65c3e45fa80616b5e6bfa5e94debc6ef

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a98dc810f244dd881c60850daa7928ce

SHA1
1e4ff86fe643db975c1c43bb03d89346c6636ea1

SHA256
c2784b554298441693b24d38e4238003f2aeccd1de9e82ebe8bf89f5211a0957

SHA512
92d1ed155e53e774c296795880c8fb1e6ad156a5fb70a726d3804674af019c6c6ed6d1201ec0664775fd5c5bbfc2b843bf583fbf1ca753c3afee883f050f5663

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
67d5f4835b5e318d6a5502c3495cd8e7

SHA1
c43786b9b231c341f0258ea59aef3db32b4ad8f6

SHA256
90cd7fe54a4531d3a05123b15f0f66802352f7504d229a0abf8af3b32a79357d

SHA512
1bcbe19171b5182528df3473025e480dd981b55ec570ec8d20ba5d18e58769edfa201af8f3c18575b11f64996198d71aafa922986c5d98101aac431ab4f0f4a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7f5b75ccb79edcf9394306cdf7a8e589

SHA1
a008eaccb8dfbf06aa6f0a612ac52f7619c6a842

SHA256
5bb22f2b4c79a0fd63fc871f1dc0ac18a8e81ef68e1840b96cdaf24a96bcf524

SHA512
b2fcb64659eec53baaab0aea2e6dbbcb734ebc2a535c003172ebcd2e1096448b73d15643d5ad683eb7064201c70c294bb44413c2c6efae5baa0b547dd06267b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
28bfe109e915520360f591f3d507ed37

SHA1
1cf1119107439fdb3c991d8d03bc0d6340fd4332

SHA256
c36199da56378a75d536c5ec4397d493dd0eb3769af49978808506224b39b41e

SHA512
a8f49b7ede94c0020eea1b90cd87b70f10cc75f6439598decce4554f1275ba48ae15dab17dbe20fd22d200eb9383a87ce50b94239ec0c6172207bb37defe6b21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b7a4825719bcdc6e3c4f266bea88401c

SHA1
8f2dbec258e5150f629fdef08be1dde24c965a15

SHA256
eceee0309b6794c207b313c8861904570443e12ff16ebd559ec903472e6d0ef1

SHA512
d0fb1014500232e7ca08e446bee9df7e172c9824a50bd77412145847b77579acdf5a3e7ed2629769a2e3185c46a6c610c3d587a1c723b5f84b462007c0a5ffc1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240421115709.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9de028ba5ca49e822b4d49fd3e7a53c4

SHA1
714474b1f9cde85fa1f5829ee2393b80ac6d7b47

SHA256
590b041a2e7a7defa9801024da769b3d71ef891f79fc9283dfa62706f39612e9

SHA512
1802ae183a020d71c8294837fd41989a7adc2c77b5b0e2d80552482cb86768d0170b45e660c1ff71832822223c9a77137936ed10ad0e25ab3a5ef9e841de122a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5e9d94d6ce528bff25e85df8fa5b8799

SHA1
f6bb131c3a0fbd7daa8b8c020c5e75079d9b41be

SHA256
1719317f6596b2a2cf56d130b7f02261cb29bdf2dfdb96695b22d7ce83a7b43a

SHA512
b7626026c06ca713277e3d7fda8259f42b78eb3232d1be48abf4dfd464eef86b007b8db31db3a7873d05b4bb2df3d28a5dba2bc22b67c820c269d7d3281c527b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
742de1e8f80e3c5e741b625d36d06393

SHA1
8142ba1690f8a985d5bc6db8879a408e7c68c591

SHA256
4f52180b343c02910cb241a36c6f1682bec9434a3286e3db5960c76b95a3935d

SHA512
b82425a56c17f92df4da1b766ee23d82c0329bf2b911369397313c3f34dac291eb30672fc0bc4ecec48e491d92e56791ee694ce9142cdfc9a6002fa8807156e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5b232f2ec5e33f7709f554291a0582c7

SHA1
8e09d16cdefd7434b6626535778c4d6aaa94502a

SHA256
539b48bb8997ee07f386d39e50b64b6a7f14ae24e0fd7c49a5d72e387860d5b5

SHA512
570f3bde7f527c8af2cefc04c0bb7d9024c2836b328a25dd50546cffc192d8256a276c6e8e07c0ca5afe06af86b819569f25ac6213e006588fc7edcc95e24d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a9b7d2845c3b8ef616c23b80f7779973

SHA1
7faf180ec2cdc87c42d45ebe1c711ef60be0435b

SHA256
8019d5c801cc3f6b9652dadfd6ed32c45a645833e52f024845cac768f40b1702

SHA512
314eea56f8e193f7be0005ae79fe6f00d7b3e5f68f4df3e905bf45c12bc6f1a38a62b8622b61b553f9df77388fcd5c3411fce06c9c734ade7da43c89cb6545f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
34354509768af19ea7f2503dc5043b37

SHA1
5f75e9cc19968d868d8e7cdfe6aadc5962f47c58

SHA256
f516341155d48453de605f1d77e4f168505b56dd51983aeee1cc95698555fed0

SHA512
217bd34bf3444947911e2fb0956eb2442ea166d12e1ae1f107cfc1e988bc00f078400ebaaba513b523a51950eb54228ad7dd3cc12fc3ebe23cbe930ccf834299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f58fba0a130bdb1502e9cb370e9fc420

SHA1
31ac065dc4161162c2e961ef4f432335af555d5b

SHA256
642395541ca9b4e69dc22b770ea9ef433b0154bbd59488ba954dc8a5150d92d5

SHA512
2f4ca05977d756b39fb9f4da9278eb999564a320b251ecf3068737271a9d99f727a8621812013488d960bcc7bf35d9fa9a2cdf9a70680ac2d699f04f04b43e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576b1e.TMP

Filesize
2KB

MD5
4b293ef6e36074d11d943e6699266d96

SHA1
c59e290054f47b0a4afb481a1f974ce5bd4d854a

SHA256
13713350069ea503b433abbd2932f6a25aad6afce17c2e0c3a0f787b58071054

SHA512
3238c301df585a7499d814c241bb461ab4b7a5e53ff040836183d3f8d07a3aece36d6a5f21f55a6bd69dbbcb913911fd1cd439a73de08143f809d4dd77f49009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8520a713463c88ab1195a3245fe771c9

SHA1
0f6605b3b2c66dd3315d9b97caa0fe6a444881c6

SHA256
b7052f3d6331cb8ca84b6c71ad25473bce1065b82af5cf424022f921c1c99fb4

SHA512
42767391d8b5e29613b0cfec7f3047ecb778a447c4b5dff2b6334e668093c9255965cedfbe7e67b52772d0b7958f526b42e911b66bf8d41996f6a1223fd49ab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
ef21be778dde90d61200eaa430b74d3b

SHA1
cc065c09fea5d04481012470401d2d7b453777be

SHA256
b83e3ffb4f3150499cfa4a07bb12df0efb2bc2d09783066c304f0e8035d06001

SHA512
4ef1fd1ce28427529c66f6102373de19fc14a5fb520435ce0d25b8b7cdd719c2f56317c0ab667a680019ad6071e1813db1ffae979456d3d486806beaabd0cbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
47d0db9a5ea7d393fb1eb69bc5006cdd

SHA1
dc98d271d8fe6a44fb126124d1479e9d2aaf970a

SHA256
979d6c77ce9357ea40285ec9557ce236aa377a4233a361bf04fbd964a151da95

SHA512
4a46a784874e5e24234cd46e08d1a96e14896a8169e85e6446e878190fa54fabd67763fc8fc6ea05b0c781249f3be46757e02fb0979cfae06f6a7a6326cbc5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5a470dc8457baf98f23c863cde09b866

SHA1
047381e12b84d4635de84c1e33da82cbc7205b16

SHA256
ee2f22a7421bebb22ee2456d79034756954ee7edea38ca92950a8db390f0cd92

SHA512
b3dd2493b8ae4e000cc8da594d11248f36ee6b5cb3c54ab029256dde125493decfec0c2524d602e3f416d33b78e388625051b852834b294062a69bbb1d04b835

Download Submit
C:\Users\Admin\AppData\Roaming\4664306c102ae222.bin

Filesize
12KB

MD5
dc84e7482d04a2a50da0f7bccbc78dd8

SHA1
f0bfb132bb6a2146860c952670b5b7b80305c4fe

SHA256
58d38e351943ba756614a8b6f91c66ec680473dffd2d5972b6ea7a4e5cfb6445

SHA512
e88f5454c4933392f89e5303e04c29b6c762a98f3c50e3d6e3b5aedf873a70c829e8d1b2355e16551250b4cc905ad4d738edf46bad7417eb2efc4766a3ac4312

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
82774ae8898f54cc8dcdf4a30e9cfd2c

SHA1
9969978e757b1bd602b5e1540ce194220b042a4c

SHA256
5d12fa8657826493ac07ff73f36d812c550775bf50eef9f37ca02f460501ed0b

SHA512
7fe016a1f38c13b5f2d677adf8270e44b7813915984d91f780be7570d830fceba6e816d227e5d1b5b1e6bccda14cc92e5441062787490b6a2998aea36f12c772

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1e8afebd347ca1b54cdcac1137203574

SHA1
ca5d4ef153eaef276151b09d7162926f64aa167c

SHA256
5ba03a97a9414b819c4d4a50efe64ab1db4eff097d2c02ac9054aec5d86360b9

SHA512
3a29f070fd1539bad2783d63b0376e65a36a7120c3b490453cf3b2cf75e40228dae082307b72ba20d1a4365c72a1b267a1cea5ceb5acb60c5811dd318fae54b6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0c47397f4393968897e0f9037be54bdb

SHA1
8c94ae2a2df38e7ab2e4a387175b06c2e82c35f2

SHA256
7d8e531fee5715b901937dd369c5d964936bf8fd19b7cc8c81ed38365cda35bc

SHA512
54eef537d6246152869bdda989f0dc59544b1b5a80116c8a555ca8a56355a2cdb5946b4d502f723fc37514919ebaf2eb05b1d66d255586b03e75d70b1516dc6d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
40c5575f2c86adf52fba26cfa37344a6

SHA1
bf11caff8e4df77f0653d689f7399171b96a013e

SHA256
c8f254258a5af2ac2c46d94bb5289eb033bcffd5a8c49c70b2b7f4e40e0bca34

SHA512
17269cea137944767c579a46c9f1a8ebf746274df58890fb5970f5663befe2d8008a6aa075ea55be4b4e4eda17e28f6083daf6424d9550903833ce4231ab0a21

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7cf6ef82faa9d10fed06a867917b341d

SHA1
9338210b77f519cc87fbfc44a7d54fb25ec9d602

SHA256
2c8aa95884645cb70557e701ed0dd0d1b4e276fd037b3f71cba8f0fcc1904afd

SHA512
d1b0740b3f403b9e522730c56b5ba6d6a9ef641835212878104cd789179a845526d0711ae8092a8e0feda87e743f2911aebe1486379c2bc50ce53fe2e8314120

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4678b17921c99558ec0c9772a9ceff0a

SHA1
b9279a0b428fca433a7f75de613ba658575d45ae

SHA256
b9d4e18fe6cb9342b3dce4415aac66963f45becf95fdb797d0779342fa1021af

SHA512
8d41e2ba51108eeaa23dc7eecaf80a797477dc078a2ace85291532e8eae941d5a4850a9c811e6b38fc6b170326fd384ae3ebdb69bd088370e25741c3f7d21d75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9b9ad0ebcbd3c979d46dd70a6d8f52f2

SHA1
990e3e6d00ebe191b5e72800352740f187434331

SHA256
22d08265a912679a620c9c93141d752c0fa658cd575f9a98d53a87497ceb4577

SHA512
3d8ca7692c10d642ef9f56d501061dfd0529530324304a9d3e278b32003739a890a2b488df1d94dc339fb1b20481718ce0cdb27ca38d59208529e98d27f31e0e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6355f2f3ae08643914444c755d420d70

SHA1
51cd8bbac5804638f891e955c0865958d0a06e4e

SHA256
f47f536747895f2ca62454ab69aa8c240f30b5adf6f31828a12a83a700ea3161

SHA512
e432419a330e107b0fe46bc41f70f48a5d871c2ff641b0d95bee05695dacba48976a32b07156dc248a429522a945edab38d3f12753cd784241893e04847c259d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7b8fa959cbab042b9c8f2e510cf6e3a4

SHA1
c0cee357fc5f53c4880a22dcbf264604c60fdf33

SHA256
ef621f9fbb0348eb476528b0df0794434e964bdf54fa21e36e9a36098aa6af4d

SHA512
465a4da9b83d925914e5acde2c9a7404b5625fc9eb24340aa9f4bc60386fe85424d068b236ba590d08ef276da9644c2f9c0f0a299637b1616ff789a4e5bb9581

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd55c2bc6bb931b3e56585a9d3ff2ebb

SHA1
69c134bd82d21e3d0e2279b1134405980b2f18e4

SHA256
0102195b32b3c15e18c86c044f939bbebd94c51a7eb32f1a71fb06e322586707

SHA512
4243ad48ec5e79db36a5fd115aeb7cd9e65b1e62186ce8bcc5a0c6602169b47409b52791b3a793e083e1539ccde9f4b05900a84ac6e05b9bd6caa9c27dc18f5f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
48f3cc6d02e28ea81045f1d9a3ff6ab0

SHA1
51fc3f4cb671eefe1456e697220876d0f1f4e83e

SHA256
fc5af89ef564554158a5141bfbee4104feea5a5fdbeace53776d7c40dd4ccfa1

SHA512
07a415358361efc2f36b1cc24a5ca80343f34f1441bbe2d1e6596014e1ece2e5f631a06df8d12407da2e01cf8a818b49f767d72a280256725c6667f697d78aca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9aa0ce54df90ee2d7c6fe097832c952d

SHA1
87bb1a3426d16e217a9395e16e32c9652d2f26d9

SHA256
63cfeeb6c4fc14703d57a2d21ad99133194a3f6840b5d3b9671a2ce1a424b432

SHA512
45a5370d08fd9afbf33a850664ccc3cf4d9f994bec30f8bd40b7257b36bb0e520c3ef79751a5bb20946984acc60cc4ad781644d9f46c68ce9b172f9dfff3c48c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a3f9540bdcfafac37b3450ed2be7a869

SHA1
03b68bd8b20ebcbf61305b69a9a2b18cc9f8441b

SHA256
0463d83df6f124551d368aa871dec00ff13d5764ea142d689b02669bce5503c9

SHA512
f3a3c593ee15b27ffba6b97171c2976bcfcc51a0ece45b08ec147517886c23388f910af0dde598e2ef2f4d0339cf5370f443ac0e5ddf14850d40936a123d60ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
831ee3ad56d1caba2ee142153fb58e74

SHA1
1f6ab928a402be3a22f9258adbfb6a5079beb32a

SHA256
c20814de5bb2669bb31a0fbfc0d19249c9bdf1bbe858c603848c46f9f6a410f7

SHA512
ff9af07bb712a9ec2613cee028f0c65a17f029999986e8c50ec3adede6df1ba4db37ad92bffd83bd08a0c98b27f412404f71f853ad0cb4d44f7605e12dea0020

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1d307bf327c66a2d754ad1dc6c7b4602

SHA1
c41dd4d8e2044cdd3cc3b4bdda3dc5d9be9dee61

SHA256
1a1c5337d585d5cc0d8890cd4613d5744707038f831229d7e05dfab31e96a43a

SHA512
1b4b8876aeaeda7613954ee1bf0db5c95226e0907dfda0f09a0b2b7f3ae967838afa210110d5589d94cfd4d91a8d2f12a0ea34a773e61e783db8e663b6a4d052

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b6f853d5a73d0e087dd5ce518dad1280

SHA1
cf44e6917f6a55e7f5be288ed16691f96b99dc59

SHA256
d24b8a7c63a7c54a6207476d0c7da8a0031a975a2d81fea2cb06e19e62d1274e

SHA512
1d5c6df13aa51c378d296b7219dc0e0e25f3d6d87c6d53dd079896d9b14fb520d18f792f061d0141e46194609655d32367b226de962e3cda5d9a33a1b86c3770

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a8d4092fe35ee931972fd5c90fadd042

SHA1
3140d02d59aeb13fc59f87ed1bb211b19f76f2d7

SHA256
c4f7ca814e05efbad5972c20b81ba8ad33c30b39478508ad8fb2e414614ee782

SHA512
f25082f22cc3eab1ee806b0de9d66afaf7c88384bc538fe9b832ecafd839fc5bf267dd5a9d29c9e26697f3f3a292e37a29929ce156f920ad1b21bd9710330d95

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b3764336e00739ac7db1bb35a90c89b2

SHA1
9e315a3410550ba39727a737fef4f126cd48ea5f

SHA256
20e9c9db7996d79b4a6d709d470559db36d7dc56e31a11fc523c9913eb3aefe8

SHA512
4d874fd20eb09240cd3ff528403137c7906e1154de0149beaf6fc19b16dcc8665c2a46d3645aa3d8231cd5dc40d254211febd66f5f9a9c182be7c249f5b74d24

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
46d8cc58fb75731c9c27c4055e530c55

SHA1
18b641a0a11806aebe197434dcd1f9fc4ea5e8ff

SHA256
496b542f566823fe4d1751c9c2cdd1cc897a1551cf82bb555cb761453c8b1a1e

SHA512
9f63ba75dc3cdd655eef4dd803c8769c8d4e2cace36f4c4779656493a55981c81b68fab3e100dc2746708d9b738ed4138d8eabf2655adbc5ce3bfa9f2d493afb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1317827a29325e51f97d8d14cd1ee8db

SHA1
d645b6e875b6720527ef5dbff89adc9ececcbc1b

SHA256
57a2436db828a3fc10bb27be2d8852310e3602f22e08bf5380ddaf834347efb4

SHA512
b091ed961625d81e09c32ca22ff866b2c87cb463b2a2f6b53d23db20820e0c7732d3c50c2cff52ab69459c6b6a898d6dbca07a3d6f6426e2903e6774a9493e93

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
26685c9cb451d53200c469458ff3f690

SHA1
fa1a3ebc7676102acb250b46a40d098058a7a286

SHA256
24244314dc5ce52d8f2e36040e84d393f5a1134e6c2abd2212542133ecc5a952

SHA512
0854e90b037654289f040aef4eb5a743c5f82598eef07eb7ef227020cf67db0100badcdf3997f4398cd30dc7bd913f02ecb802116b1b6456ca2d8b4e5c9e0a38

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b4e99bf0904e35a7efecef7e1d70d769

SHA1
2c116a42e0388b588b83dad8d4b95ede482a15bf

SHA256
4df319cfe6b76fb9e6a2b61182b36ad98f316fe9e479253243d2352a590d84b8

SHA512
c3a404b13a14689acdafd0709b5cf2bec83ebc3058d87829e10b53452da36bc1eeb27d5c3d88aa82f49ae41814f4af72c28735e958b1e80ac47ad66d43e370b8

Download Submit
memory/484-359-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/484-353-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/864-57-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/864-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/864-72-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/864-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/864-92-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1244-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1244-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-134-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1296-131-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1296-116-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1296-117-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1296-126-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1296-132-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1400-186-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1400-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1452-180-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1452-248-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1452-168-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2644-32-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2644-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2644-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2644-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2688-99-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2688-97-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2688-82-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2688-83-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2688-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2980-0-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2980-7-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2980-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2980-40-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2980-29-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3292-199-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3292-276-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3292-207-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3292-289-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3440-103-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3440-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3440-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3440-24-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3648-235-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3648-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3648-226-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3664-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-239-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3664-234-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-159-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3832-105-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3832-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3832-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3832-101-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4368-144-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4368-220-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4368-136-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4964-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4964-305-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4964-221-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5132-250-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5132-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5132-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5344-255-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5344-268-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5344-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5424-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5648-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5648-278-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5648-292-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5708-373-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5708-366-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5836-314-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/5836-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5836-320-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/5836-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6028-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6028-330-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/6124-346-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/6124-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download