1563e3ec589ddf69bf5d2144218560cdd51722ef39559e976a1c7aacd7488948

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
Size

5.5MB
MD5

e12124fd01868dc353d9d07760ae4f79
SHA1

8184fd08d740cd6ad86a6cf825e0668877727181
SHA256

1563e3ec589ddf69bf5d2144218560cdd51722ef39559e976a1c7aacd7488948
SHA512

4e99283c618c70e05eade56490e9b4d840b4297ca02c379df8bb2e99530d2d7be15b6032c0b8f9b054f48ff5d3315e2216f24d8d88b4478be0f7b64fdc6c6333
SSDEEP

49152:PEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1tn9tJEUxDG0BYYrLA50IHLGfc:rAI5pAdV/n9tbnR1VgBVmTFz9Kn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
5032	alg.exe
724	DiagnosticsHub.StandardCollector.Service.exe
5004	fxssvc.exe
3216	elevation_service.exe
208	elevation_service.exe
3740	maintenanceservice.exe
1520	OSE.EXE
1504	PerceptionSimulationService.exe
3748	perfhost.exe
4308	locator.exe
4716	SensorDataService.exe
2756	snmptrap.exe
3588	spectrum.exe
2708	ssh-agent.exe
3048	TieringEngineService.exe
680	AgentService.exe
5152	vds.exe
5260	vssvc.exe
5384	wbengine.exe
5440	WmiApSrv.exe
5532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b99a15527d34635.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000366a36fa8296da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db8e5cfa8296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000644fbefa8296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e61f0fa8296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f3f6dfa8296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016414efa8296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000162d1fa8296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c32314fb8296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c80634fa8296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020b3a1fa8296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1588	chrome.exe
1588	chrome.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
904	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
724	DiagnosticsHub.StandardCollector.Service.exe
2448	chrome.exe
2448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3724	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
Token: SeAuditPrivilege	5004	fxssvc.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeRestorePrivilege	3048	TieringEngineService.exe
Token: SeManageVolumePrivilege	3048	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	680	AgentService.exe
Token: SeBackupPrivilege	5260	vssvc.exe
Token: SeRestorePrivilege	5260	vssvc.exe
Token: SeAuditPrivilege	5260	vssvc.exe
Token: SeBackupPrivilege	5384	wbengine.exe
Token: SeRestorePrivilege	5384	wbengine.exe
Token: SeSecurityPrivilege	5384	wbengine.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: 33	5532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5532	SearchIndexer.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeCreatePagefilePrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
5904	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 904	3724	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe	85
PID 3724 wrote to memory of 904	3724	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe	85
PID 3724 wrote to memory of 1588	3724	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe	87
PID 3724 wrote to memory of 1588	3724	2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe	87
PID 1588 wrote to memory of 1208	1588	chrome.exe	88
PID 1588 wrote to memory of 1208	1588	chrome.exe	88
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 1916	1588	chrome.exe	93
PID 1588 wrote to memory of 3532	1588	chrome.exe	94
PID 1588 wrote to memory of 3532	1588	chrome.exe	94
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95
PID 1588 wrote to memory of 4728	1588	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-24_e12124fd01868dc353d9d07760ae4f79_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b147ab58,0x7ff8b147ab68,0x7ff8b147ab78
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:2
    3⤵
    PID:1916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:3532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:1
    3⤵
    PID:2152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:1
    3⤵
    PID:1168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:1
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:1020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4140 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:1572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:4768
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5196
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff68512ae48,0x7ff68512ae58,0x7ff68512ae68
      4⤵
      PID:5852
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5904
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff68512ae48,0x7ff68512ae58,0x7ff68512ae68
        5⤵
        
        PID:5928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:5540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4496 --field-trial-handle=1912,i,14721344084008043823,10869110525379024557,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:748

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a6ece6dbb519c82bb221467431f6996c

SHA1
df570e8251ec68a29bd517613a042853494dfc9a

SHA256
5c262ba86a99c57507b419dfe0d201e46ca002a6f50ddcc69be7a7f6e9fd4d6d

SHA512
aa19f1d320fb4ca927bbf34473c297898186878865909eb179b4afa568c812aad5c6c5ee6a2250c8efea73225db1f9de41efb487daec6de4a9cabfac9b5cf71f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
ae6aa218907d57c659b860e08617f321

SHA1
0ac1af79eaed132901dcd3bed3491487e084dc74

SHA256
fb6594c2da4ae41336f44225be2b46a7f8e2802bda10a3f4ff772de7e4e4953f

SHA512
d5358ca7436d523435edee3f3a0425265c81fad8193b5a3d9aed16c95845ee94f79798c358075836b1bf8eff81529bb996282073fbcf7098e5028755dd16731e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c7dc4a0b20dd972d598209cd3ae1a414

SHA1
2b613b1eac69ef1f55113cc77213f4a2b606aba1

SHA256
d90b44ea03b7056311250680cacdcadb7c2bf208a034cc5378fe9ec078336173

SHA512
a9fb48fb9f7b82ceb2efb3238d84ea8b5e9183c095f8b611c28fbc1190747e5fafbc4f9afa3c65cd96ca9d50c074a5b8dbe96cea98901d45174ca65bd287ecec

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
609f5beb7a131edc0e1e922eec8ae1a7

SHA1
641406536bf0769000d516af41fc2d4ddc3ba34e

SHA256
bc2cf94c64ffe850420f645aca5097236b73226bf2f07ab44f1e0f64d79800db

SHA512
ead22dd84400a80acf75653969f96092565f30c1f408d6d6a870e4597c3d9bec64d9d24e2a86e9a84d52c99d15e481d9d6bfec3f929b0201fe207b516f7bfb0b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ce2782330bdb735514a30e97b7d71e96

SHA1
4c5f96d35d2e75f130aca14044a5a0e134d73aa6

SHA256
daa61687ec3bb524513bdb1908b6b577aafa307b9a091de3a8e5645e3e9119e1

SHA512
70969c872aa6c3ff1a0d6455a7bb4ff40870e4dd71a7241da4e943fdae9a25d4c3178304547548fa8cdc2b1bf4523986b7110c8967c6da1e9dc1322933b6ffab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
647d8bb63176c134d896a11c7ea59f6b

SHA1
7ca9e237c9074fba4eb3550d4bd7aca83ab294eb

SHA256
2ce36f2b8a72727efcf7762688d96940f4953e9976f2557ed4521a263113e94a

SHA512
454236a119e528573d567fcc27983ec0c014cfa05650770d0b98c66348b919c2de5817040afa09aca28591720f2b7772bd6f49019e2cf2e021402cceb2db7f3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
26f714831f2abae4b32d710ee9d8d9cd

SHA1
d02f0dabe90c48355939c63627dad84b02f95825

SHA256
94678e42acc88cdb11aab42915a763c7fdeaf73bd71e0b4fcdf750953c44e24c

SHA512
5559bf6e02e6cea8d03c126b68d6fede8495ac0d0805ddd19f8692921f9e689dc98f3688d1105a3674ab03ebadd7eb7ecc566d494479fcb0dac161ffa7900076

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
432a655543524a56dd9c25b5aea5fa8a

SHA1
d1f203ba23f8d386401dfc0ad170c9e669b7afd3

SHA256
6279b8865bd5f7969b9bdd194270f2252f784b826e9d3248489d9cd15e1eca5f

SHA512
3a22befdfe9b9b08c68776de638103076e7f37411817941ea6e54e7605b1e2115f3598aeb6f8b37a150385b5d2dcb2372e47a4ce22069476a17d18690874af23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1daa53dd10f905d034281662ac9bece4

SHA1
96233d0b02024fb07bf8a85e9af74d19a4cf3157

SHA256
f4609e24f70b176a6bb2644d7a670ce9ed156db39739d5a1b9e65f2a35b1924b

SHA512
f494042f59b5fd1efe910398817fc9828b3f2b70676e9191348039dff812c24fe8c0b5825de686ab4a04e4584a7b569aa736f5fdbfbc57af100d8e26d3f1caec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c59afa601a793c2d427c5104ff86a7f6

SHA1
32466313c79140a5ca823379c03a5a1b2f8c8c9f

SHA256
7fb0c502f7b0af61d87b500b04423ee453ebb4f83a53532c46737be340e9d4b7

SHA512
fd27773b65c4b40d212dfe15c4f26e7c04b6f6448d820d52268cce3a2b917294bc0ed1a12b51814f406970a5b42c0ab5cf3a91ea958f580c176c1a5120a401cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
569e93ccbcf3e9e6e124fb433e62f055

SHA1
aaef3cd7fff4348177998dc5deb69936fc5c76c5

SHA256
cd7714230861ec52a95c98c0ae7b421c4753cebcf9a26414826dc9e7e3935efb

SHA512
ef940b965a4c8cc3ab11c96d4e63f7d7424eae364a1e3806526d1824df157437eb064ebc19d8efebe839fa73d6112dcc568d77eb4c594d172286909afee417a3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b50a20d3931bd368dbc3289995ebfe0d

SHA1
d00d6622f03dd26f211be7dcf0dddfc7b3057e33

SHA256
72514cae7553fe64f1bbb0e5004b399e6d61ba3b0a220822363579d6822d78e4

SHA512
d01af08cca89b1765cac6a4ae115d9852c91c99f3288f278702bff9d1f16eaa3fac24d5c51e47d7b2bc203cf62839ad7f8aabe99cc7062cfe2c4ff60d1641c39

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1e0075ae55ddd12af64056b315b53ba1

SHA1
4a185b7159893a66bd1919b8b0e3e20744d0cebd

SHA256
efda2c2718e72cc76878db13aa7ef6ce1b3defaa1480b2ea4f3a37cf8e629530

SHA512
b265627555caae19c015e0001873192537f1aa153c219e8c380ac8bc955b646e795ac4c5f812454ba1ef8f2d95237fbe8d63a223d63e99c9e9b10d2352b33a14

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0dc5ecaca1ef48e6b4c2219fddcef2dd

SHA1
2e288a5e7eb05432edb50b672f0a045f8834f5d7

SHA256
6a491eb088d4d5769f6d70bc9233257fd726d67835777f2dc1ad229d1da9bfe9

SHA512
cd72cb39e1fcb42ed12693284b7aa02b603d12340e1bf9c4e2059d6b42bd5832faae5289d81402d2049c9355a6e5e622380947e18c556b167696e68626c1f469

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d1fe36e81d0f9f47e96d1d29fe9199ac

SHA1
696959c3f17a15320791a2e03be79ebddd1682fb

SHA256
2d59a615a59c71754ce9bddd4d8ec0b6b66c679faa81458d838a991db47cf15a

SHA512
7bfe7e9018bb3a9ebd05438aa693e83da0f29374189cf59d43b43e7d962bc99c57a6067e751fe0deb7d8b041969c245d6414aafd5bb8009690c5a1c39c60436a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a24b26137add6dd8d2b3d93cb97183b1

SHA1
b0297e210f836e065d1a60de2722c7c3c68b180e

SHA256
6333c24aa49bf1ce0bbef308016d811dfa9d4aff2d961be92031eec10d09dada

SHA512
99821d7883a252541788928c8627f5d0185c342f1ab2b1c53221547fa7e616f9d79e15f1a9092d15ebe731f23ee0684a2a7e3800d90bc4ea26aa2162eafff99f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
09505cc64dea99927e01d3db58530f25

SHA1
a5537e47c7751098edd841a908c6cb499627ea91

SHA256
83b6e7c90d48a197a058faaba4ba0cb2dec1a569ebbe23544f82ac8808255977

SHA512
c67a602cf9b1ded766910f5791765d4e8abe01196caa39767e7dc51d209c9014df4aa7433d155ff7f4ff127ce7a50ff8a5ad04797a611d8efbe4a4ee5b236524

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4c820a685fd4aee938a8c426528d62d5

SHA1
2321ea0a6573017cc2dc8e7d5ff613658dfa37ad

SHA256
1308ff8018a894ad6c264ef6b0501e4a3ccd1e62db004d9fe1036d37c4ea9bba

SHA512
612f3db99b858eff756f8f50306d202833f67c2fd2ac24c9e39cbed6bfd26a9973ac62067f8ef28216e8450553f24b65890c5d6139ece95fa52844d73336f474

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6add985a-c9b9-4757-8b8d-d7fdce3dc7d0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
915e8a7062f5f9d2bb63de054c10e930

SHA1
b413c4b20cbcb59347715ee9a46e0ab10636b166

SHA256
ae37b6551a98922f2c4a768f29ef1dbfc25beb2712011b22f5e980e760c70543

SHA512
96545e11221dbb3a6bd6553642fb84285fa8c0b649d544e69e2860bdd0a4031a589622a0952e9c90e60a0001791dd15c4f39032c72105770d0293332d85ff8a1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9d53329b0f90f4c78119706586c203ac

SHA1
8fea697bf2f3fae2d9b76b120869efa8bb64bf9a

SHA256
5c1d0efb78b0ff6a02ccc6a61a9db4b539b681867f605badf9c3dc05069757f6

SHA512
1e58088a340580d5dbbc28666e5046f9c01a7d70430e4f3f9ed3b85e79238591f6fbe96d51dd7fb3cded47604b154dc19bbfc1db3929c06348d2d3701dbe847d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
77efd04552d3a90cc6fe70625bef7803

SHA1
6fde6efa6a222281a0acf68744a51c8391531b7c

SHA256
4ea59f53f79e976d4ad95eaf939c8ada1f09e34586863d69da4014284ab3822c

SHA512
0bf26e51ef86cfd97a5ac73bcaaa8fae7a29210ac3f4299dcd1804dcf7e7cab6e246635e47f67c929da63fc94c0010a15f6f5054d4f77ebc395d73493442104c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a251e7d8920ad0ae50087d3903f218d1

SHA1
89a40725b1fec22d61561b2286720638ac0f6625

SHA256
6045f9f01ec3f769a595569f236cec5f057170f13aa5c7f8f01df1cd687725d5

SHA512
0b3c16211e1da01608cab5853c907f5c061d22aad2f83aa990fd5e27b08cca8147c0b0f02af9c91e10b7dd8f9d658360a0d73900b0c101fd2a6758386007bc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6249eff70c31df57fad41b61f024f370

SHA1
20dab78314a79d7d409d9a2609aaec0812d7bcdd

SHA256
c09db7b8688cb08d9f5898ad90c2743c924aef41e28cbd5e48858532c6904429

SHA512
3e3103e4a05b4ee4e23fe4c6d4ceb99f00e400522afc59e62d315191582fbbe664765b06ac64231dd3bd76ba747e5ae256a2da8ba132a3044394a9bed9b9d728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
c66ddfb7e1d4e9605fe49757ecfcd89d

SHA1
8ddb684dbb8a68e5b37fd8719cb803d94d791a25

SHA256
baa38d6d342cb17f2a99d1b36830cef99e86a1696f875514f0e1714595f0511b

SHA512
beb57edda87f1d2714117cd5a67409c2926dcfd29eaf1cd5197af949f9043cad0eea2ec62fc048de3bfd6846845ec49feb6c4a2c83257ab51571e31cc3d8a6e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b1272b69de7ed86dc83d03dd79cf1083

SHA1
e0ba1fe907365f27baa4c60cb11c4f1256bc18e6

SHA256
acf712fc74b633ed89d1546de38b9bf8cb262cb0851e4763eafef4c79e7d1cf0

SHA512
00ccdebd9e1fbf296dc14bf238a72c8d1bdc9ebdc23aa61376350c42fcc5891e6e056e2bfbf2a686b95ca5999cc4e61428daa7fb62b8e800ac13bb55ba2276ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5762a2.TMP

Filesize
2KB

MD5
c541d6caf1eba2f47a57217be76c5517

SHA1
6fbea28eb3c243a578e6d904eddf794b51c5869b

SHA256
1e5a9517f8e3940d71f3321f9075ca8bca5bb1e82eed3bf223d0bf265b960b6e

SHA512
bc9e7551a58873b1df732905c27e112c830a71bb725170c4e45e3c21a2f71822cc3ce48f9041fbc21d2fdbea8f5c8537e5d027fcffc6d2c67dfae7449e25e739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9ff14642e0f79057deaabb0a5024b17f

SHA1
624fd120d23ee971d0ace944d42620513885fac0

SHA256
009d25f16073a9d854344f9f069366a190a9cb63815f847ea6c27129aa34f961

SHA512
6f48e9830afdb6bdcc34547e82cd5a37aef44ad7252c623723848d4ee2d12596dee269994798e2443eb64eae49f357345f513a5a7d8d706889e99cd3b50551e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
941cbc54dfce69db692d2841e1b2b8a6

SHA1
aaf93becb92cb01b5d13ac648f5174c1a915d765

SHA256
38cd2686965c0efe95da96a3cef81910c9d1c7731aacc77fd0760ad09e161f06

SHA512
ab8c0f536b2ba5119dfe8f1f7acf24c829a9e4cdcd8464240f4083a100a3cad63c0da7faec7d7232494a47b23c322b60797ed11f6f3109b1db68eb28feaf3b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
bdffe0353d8de9f8b13d235340b06ffd

SHA1
1e62821490876759974797fe2beb6c5466ac63aa

SHA256
66a1080724b3a3338cb338022c779539b3083301d5010ec11d6d79fcbec485b1

SHA512
dfe1729e1137aee05f5e0f9c8be0f88c355b807bec610b5df2f37cc1357e0939c2a5cd5165b75a6e3af615df2df2353577322f1119402f04f998424fb0310445

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
09ffce05cd8e82808fbfc924b2da83a0

SHA1
724e5056ebae8b58f4de71a3e461c02f31841387

SHA256
a99563adb779c34531ddb72c5bc146f02e2e1409b536ee7f699526a65e94cde3

SHA512
4a31ab26a565334468a60ffd9169a5beaca54025ffc0070d3f682e5a7faac86dd0e32f34781f8f0efd2202e4888a140396fcb3198127ef16f6f7ad9b390f76b7

Download Submit
C:\Users\Admin\AppData\Roaming\b99a15527d34635.bin

Filesize
12KB

MD5
28800a547c06a898b7733e117c6125b3

SHA1
cec35faf0812c857b9154b2f6cfea02c3a5d4a23

SHA256
f7ee91d07655a6bb420f196103e28a87704f274b9233948e4460989bcb32cac9

SHA512
5deae5120d35df140cf8fdbd1cdb81bd6f971d000acfe6fba925539fbc5922e4d19ecd2f8ad218da2c92537f0e6fb23558ed9a4e82b39a779e7831360846ff1a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4f5aa445e4e45c48d15a14bc08a20db9

SHA1
089a399b895d6ea76f4408f13738f0e0bb40ec58

SHA256
008d1b935aaff0a9b08536e12ec0ac6b7f974cb579a208e45ecf0daee08ad041

SHA512
8dc98362e21de6e1fe4bbba15b1ea984d5ca0f009b0bdbbf2e0680ac12892cb97fcbac3c54af0287284dac8c4fa7c3cc75fa4af9d1f847d3d4f76f1e90901428

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fee17ab521d2d6556f1435725b116391

SHA1
ea5642325455fb6645c024e075db5a1a4de277b3

SHA256
3957cd04af0ca53127cbdb394b3b5b400223e6579c422200bc3262a2c96ebf4b

SHA512
d440a6c65386027795efc8f3645e3216cfa7de89a11d662aaf49ceb8bcedbaa987fbbbd9b0fbdf57d3f08ef3729b2efe383aaf5e60816b1ad7e9d874e9f4b78a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
9dac06775ebe76dcbb47407f7cf947b0

SHA1
d721995e7348d8664db2fcbee9d285eb4db153f3

SHA256
455d8d2db2b73334c8edcc7b450bc2f770197613782be00a074ae1b3796044a6

SHA512
da915c88571647064c5b002f0e331c32a6b8c2e95f3df5416425785b13a5df70b13194a600932f73335bfbae2a2be2f90e15e6e05b7b2b15d0a23cfea67267c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
475534f901ef71397fb4350e04a94e4e

SHA1
ddc319e234e5cf66e5cba0fd189456cfc2d6eae1

SHA256
4c53c92472ef1a94d27d5328dc4aaadbde1b3ddb0a1da428df9dded7e8b46cd8

SHA512
6aa8fa31f274796b9372dd64a5e062ee159da442002663ba520921f7534eb90d578d94767ec23efba118598a1da4d39a178fcfaa463c13629d28b9ec2a526215

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
43b13124c4030d5a9af21e31d498feb5

SHA1
5f6a68869e56dce8d7226131a4317a299694f50c

SHA256
413ab71d12c58709aecfd968f39f302672bb677d1a81fbc7c9cbcc3c215fa71c

SHA512
f5c3ceba0f7b3fd1b05beb80111c053743c5dc16b4ac10f7c7836465c2995bb92c483e18a08341db1624b07f2b28ad4b71c1c2dc465d6b00b604f5a8348d275b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
bfdffc1c4677873c6bd61fe8ceb8a8b0

SHA1
73c3398f117b23f86f3d14c535da0177d58478ca

SHA256
d9dd4c485fd697a2383510fb8b345124aa458bc7126f1adacd4e785aebf6de80

SHA512
4b01797dcb772b36225225fa225fc198eba89236022091590cb0327710c48f38c1eb8f6af095c1fadc7f12ca00892392cdbb7d73899a20c52a5302997e0c5a85

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
8e64983e62265351d70de1e1c1e6f7a7

SHA1
ad21fb16639a3c3e653bcf849bd40cbaaff20605

SHA256
d12859394d40c241dc4e91560dbb6a6dc09d1d7dd1372e4bd122a6fbbd6ff5ab

SHA512
bacd67663373e432b0bc8175819ed30314f2a7d6ccf5dd41bf31ea6da24732d125b78139ffa3c60c4b45771cc9673ab03536978e8a663df3a2d525e972562ac7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b214ab90aaf23775378421c3a3bd1a6e

SHA1
23181644a97b9c56dcaa2982e1b0044d9767aba7

SHA256
2e7c0e232f0272e9635edf7a86f596ffa2d791f94163a2b4f7a302c5df302388

SHA512
5cd84149c7a728bb1d22d747b828d9970ab97f7d4e147b659b984978140966780e210d6d49999b3f18d134abd8842b7896751dac5164ad504e7103ec16efcd9d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
35c24fda11dcbc7c7da6d0d945ea6bd3

SHA1
04b3b811823ae33a5a1a41877a21c8c1954b4691

SHA256
5498551c192d38eed81f9eb9439f3e54d75d7f4eec3266f8c8f562ad740cdce5

SHA512
1c21d614b661530b0351f0921638ac8d1b167a8ad9defdae56e482635d30ae68141092e369392d598b856cbce7c44208e68152499aa40aa7bad3367dcb8ece17

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a177155db898dafcdc1392c3588fd8f

SHA1
3d40762a4a1bc9dedcd1eba33dfce7a319b551da

SHA256
8881d6bff6db33e08828eef68cef794f1dedab796fab139a858e00e2b0e7199f

SHA512
6a57100d4f9b9186859290973242fb37dc2aa2711155799c56d6c504dea45f6cc90c7f6dcd94a010b3978cfd0008430d7a27eb5280ca658d6800b0313b73cffc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
3b170b554c1d621aefda685ca65bf9b3

SHA1
f404cf41bd3fe26737d254585934540624afef86

SHA256
121102c9f13f051c451c8c7c9127eb60181e13376050d1460990277759e03130

SHA512
9bc70985b3a063e9bee819e8300b6ffa3c66df41b17d497f122e95a4dedd8ff2a221804ef57ec254791c550c6820ecfc1558d9076d7a0f224c79993aa4f15018

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7f1833369f250de02e7767d985ba9051

SHA1
6b9daefa993f978b4a84e9f1881aeb7db94ade15

SHA256
ca8fe2e3bae303a9bcf514bc3b685cb893695d9fd6390e5055f364491efffa48

SHA512
5bc04e9f1066497a9af7c9a3b14a3428a070674a3256ff21ed5be9efb8294fb4563f91139fb99b51b5e84ed966472b9cffcac5180dd9d9348d4e2d9dd07131fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e7aa89527ca0bc114de3c883093c2e29

SHA1
913a308d0a0e50406b83ba34b36575052f7c6d76

SHA256
101cc9db8e4dc4402e785bfc330b7e5eb4b338761675ae236fd929ec4bb074c3

SHA512
e5cc8a7f8c24d1dfa1959acc77cbdd6f996d78bad70454baea7f6f4f815cae3a1d81ea2f50e86b1b5b553d1240ccfbbd0c2727e8bbe9eecf7856230be15c9787

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a9ee28b2ebede3c7a49df81337883a3f

SHA1
8d7c155ef4729350511832a58b7e2026305eec4c

SHA256
a24ccc875162c7f719528b5fba99f77c32a67b472fa09a2e2a708276043e2f2c

SHA512
a7a1cb52f0ba771a581570e159a4d05d879428409cc742e57732063e533fce7df35155e32348f74888e6b73fd142f05ba744d50ba5b9c58467bb0035772d0f1f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
11566396dabec1c4c01969e777994543

SHA1
38f99f339b149c6af4df95e397c858a0686b5786

SHA256
592bb3dee913f11e1daa9684807d594b77df19a66f25725fca71a0905d7d1a7e

SHA512
37a1b60236ca64b8aef2baaaf262f883e8133d1eff947ee29c13288a30ba660f19285386dbcde3f7602f7e2bfbcf24a187e6f990c8a3259efbf9e70060731a9b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
32924eb310fe908620a8ce7625de4af8

SHA1
cbb636a057471fb8e1ebb6ae98f26171e67057bd

SHA256
8b0b028dd64014b629cca7101bec5f99b95395cfadd5ad8e96eedc6dc3166505

SHA512
15aeb5e91a0902910b625d7f4802f048ba28faab2d341ebf9c5d8190ee031bae4771bb0147328e8bee75de889bbe2959b5de1aa41089b4614c1c233738af7d93

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
951e97625e221f848fdf740635635782

SHA1
95a9e617d6c3b00607c82a9a7742f5d6841ab1ed

SHA256
2efa692987446078b5d4d1101f43521a7dba795f76ffd2a53a9cf5740e7222b9

SHA512
370affaeff81e7c0d0f224a7f84e80597f2a5fc461060766aeba9bde81e2c128065cd3e5a7c2386870f1238f5aae12d9673250d9cb0919d207ca5e72b56728e0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
522df09671ae433429bbcaf7252be0b6

SHA1
61ca04f9f4e85e8568ad48873b678d1e513cf1e6

SHA256
280a84c5c19d1271eeed9e7b9b3673a1981aaa57f14c4fd4b13ba86d8673869d

SHA512
f62deed71d60fc03149e67987af7a52bf70ede79171316883d37f3f01ea2b6c4973a677798812609030400f9d4acc0e3f3a52284e3ccfe5212e90cc019107319

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
49144c732ceacb68a4da426dcfadc32d

SHA1
6954fbc5f4bc96cbb9b788f76e2c4de9e7f15c59

SHA256
d88fb69e80894f99a0fd6fbd9391f079ae601e73682bff330008dc4c984e630e

SHA512
754c4ea72f68d05ee36515b208440ab92b8af6de3d16d24913d6f414e964556627dd66f5009e1606bb9f4652d753b8a4d592c86aa11a2a4366a4c4c169becff5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
96d35fc6f257fbd437b17fce100eec61

SHA1
d4d80309660ef95423a48779d3cdea6a77f43bd0

SHA256
3f79dd0fe462fecb490f9bf4462961f68da2a5a0e7efdb0d7d0b7931fbed0fc3

SHA512
508d7d04e1fce0a2f3eff553433a896681c4dbfcbd4371018901c081b000be28920425088d26b37bde77eb34153c817ad03bde4c13281f53b13c02a593e6707a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
200d8cfc1b4d7459edd18e652449b762

SHA1
d1999ecb4610218ef7ef400d9236acac2d848304

SHA256
6e3cf474850dc6a2f33c5b461b289cffd92e1b66bf72c18885b54a06615457e3

SHA512
daabd49c56ce5e70f9bd638f3c650fc6381cbc7cac8baf8f16ff048a0937362f1770771298189b10387fa1ff4258c485081eb33d2bd2c47c01437a450f3552cc

Download Submit
memory/208-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/208-158-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/208-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/208-90-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/680-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/724-42-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/724-120-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/724-34-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/724-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/904-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/904-97-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/904-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/904-19-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1504-123-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1504-202-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1504-130-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1504-125-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1520-108-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1520-186-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1520-109-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1520-118-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2708-204-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2708-193-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2708-457-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2756-175-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3048-473-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3048-207-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3216-82-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3216-52-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3216-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3216-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3216-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3588-230-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-188-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3724-24-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3724-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3724-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3724-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3724-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3740-96-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/3740-103-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3740-99-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3740-100-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/3748-215-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3748-212-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3748-149-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3748-136-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4308-159-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4516-105-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4516-177-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4716-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4716-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5004-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5004-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5032-107-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/5032-23-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/5152-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5152-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5260-497-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5260-219-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5384-223-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5440-228-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5532-231-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5580-502-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download
memory/5580-479-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-459-0x0000020840730000-0x0000020840740000-memory.dmp

Filesize
64KB

Download
memory/5580-465-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-458-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-501-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-466-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download
memory/5580-460-0x0000020840750000-0x0000020840751000-memory.dmp

Filesize
4KB

Download
memory/5580-499-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download
memory/5580-487-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-488-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download
memory/5580-482-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download
memory/5580-484-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-485-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-474-0x0000020840720000-0x0000020840730000-memory.dmp

Filesize
64KB

Download
memory/5580-475-0x0000020840870000-0x0000020840880000-memory.dmp

Filesize
64KB

Download