2d2c4a8b19cb62a34c890cf71816bb13c3d29f033edff12db205ec0a3b254c2d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
Size

5.5MB
MD5

8b748f95ad812cf56a9f1f6a66cb11b4
SHA1

c20b966e8c8b1c236d5e998988c8501f6e6c4b7e
SHA256

2d2c4a8b19cb62a34c890cf71816bb13c3d29f033edff12db205ec0a3b254c2d
SHA512

c30efa73f93fcb75504ad4da6a616c246df8f104c6a89af44ad246cf9a5d4e683c2e35c7f93fb6811fb398149ec3e90861a546a5309e1433d7a9c0efb8b04ed5
SSDEEP

49152:oEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfv:mAI5pAdVJn9tbnR1VgBVm9Db0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3704	alg.exe
2948	DiagnosticsHub.StandardCollector.Service.exe
5092	fxssvc.exe
3896	elevation_service.exe
4228	elevation_service.exe
4092	maintenanceservice.exe
4320	msdtc.exe
548	OSE.EXE
632	PerceptionSimulationService.exe
1252	perfhost.exe
2448	locator.exe
1348	SensorDataService.exe
3592	snmptrap.exe
3460	spectrum.exe
2724	ssh-agent.exe
804	TieringEngineService.exe
3984	AgentService.exe
3184	vds.exe
4548	vssvc.exe
5192	wbengine.exe
5292	WmiApSrv.exe
5520	SearchIndexer.exe
6116	chrmstp.exe
2024	chrmstp.exe
5736	chrmstp.exe
5892	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\78e2261a7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c621fccb319ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4fca7cc319ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588677565020808"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048fbf4cb319ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a7760cc319ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002585d0cc319ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000860e08cc319ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004daa4ccd319ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da4800cd319ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
5380	chrome.exe
5380	chrome.exe
5380	chrome.exe
5380	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1004	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
Token: SeTakeOwnershipPrivilege	3628	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
Token: SeAuditPrivilege	5092	fxssvc.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeRestorePrivilege	804	TieringEngineService.exe
Token: SeManageVolumePrivilege	804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3984	AgentService.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeBackupPrivilege	4548	vssvc.exe
Token: SeRestorePrivilege	4548	vssvc.exe
Token: SeAuditPrivilege	4548	vssvc.exe
Token: SeBackupPrivilege	5192	wbengine.exe
Token: SeRestorePrivilege	5192	wbengine.exe
Token: SeSecurityPrivilege	5192	wbengine.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: 33	5520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
5736	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 3628	1004	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe	84
PID 1004 wrote to memory of 3628	1004	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe	84
PID 1004 wrote to memory of 4132	1004	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe	85
PID 1004 wrote to memory of 4132	1004	2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe	85
PID 4132 wrote to memory of 2944	4132	chrome.exe	86
PID 4132 wrote to memory of 2944	4132	chrome.exe	86
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 2428	4132	chrome.exe	93
PID 4132 wrote to memory of 3392	4132	chrome.exe	94
PID 4132 wrote to memory of 3392	4132	chrome.exe	94
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95
PID 4132 wrote to memory of 2968	4132	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-29_8b748f95ad812cf56a9f1f6a66cb11b4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca1ffcc40,0x7ffca1ffcc4c,0x7ffca1ffcc58
    3⤵
    PID:2944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:2428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    PID:2968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:4660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4516 /prefetch:1
    3⤵
    PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4316,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4324 /prefetch:8
    3⤵
    PID:1708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:1720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5072,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    PID:5392
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6116
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:2024
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5736
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5160,i,372581889825892450,8176431369943615235,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5380

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3460

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5292

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
afb74cecfd86f7863bf26cc436e58804

SHA1
f8450d5b6ebb066422703a1bf5fb67fe280bab1b

SHA256
4d81f9410baa2c1efc08bd0d3bedc8c921dd70d7400325af8db693d82662d93c

SHA512
46169fcac34669eaa5274122b3cfb9bdcf24228e6485e18e572c317707e531f9cad0677d6ee443ce111500a32f38a9b71a27368661d7ed24c01003661647bc16

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
40757fcc42d6b106f628669d0fd371a2

SHA1
43ddb7b41def17aed84b05a2e24aba988396798b

SHA256
b400b8d05fbae10b0a09e3517bbe4db35f980b05d97e394c36c6614dc9021630

SHA512
310e14c4001b02621b366c281b1e9fa5127e65eb45e211346baa4cc8f1e98a1d30ff09782974cc0140461dcd8cf460e3b1f1f38fb7c41d5f2e23c21263af3e96

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
36c233c20b68c7579a8ef4e91641a6f9

SHA1
5d93041f3cf145b3421f7b602ac158cfeda7267c

SHA256
cf2c6599dab8a0f085d7bef423f2a110d1be0514f84c05e806052c8cf0b89a96

SHA512
2f63bbe9c1c4f6f809209e4310f9d5db1c606671d4813583d8d2e0b834178d87659ef8318f27de68e1b48fc21c127842da9063a891c016971812e7bc8777c8ed

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0d53ad3a624e26116074a0e37d998a46

SHA1
88ec5275862f658ec66f98a579a765d9671554e1

SHA256
a108d30d216cc1c8ff42f44ff168a37498e0c5c243750ec519fac1ab547d4538

SHA512
3304df83e6418d7ec01820ecf6171c64b67ef90e50ccecbca8dd4616847c5d498438f25e45d2289651eec10404878e8cc5be7dae6eb978864ea2907332e3901f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a412a28ba671e56639cc3cea95d26ff0

SHA1
61769503b9df55f33aa2ade56ecaecfc4047f4f9

SHA256
7a2c563918fd61e039e13d49c8403b7ba4e4e93da977f1809d2914aa1682aade

SHA512
f139a340f743ceaf1f6347ca4bce4af8c237dc5c36069b8337b8763a99cbc917bdf45ffabe4cf842796bcff83c232535f125a4c1d45cc69ae4913cc8074f4681

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
6767b99852f862ccf147dbb1ce153c11

SHA1
ae5261a74067e1a1c8ba4c38fe426fb1f2d0d6c5

SHA256
461d7e27e6654873055ec78ae60cd3f9a6fdf9cf65f56bd97c2a82c9c04a15a9

SHA512
ca882d1e6188d1af37edfa09060b63efbfd390b99fdc24c41e851c661ba3861dfa14c3b6a4bf0b081045b74396396ba08f4177294437743f5ea7d52458df7bac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
abf78f9727d2ef7c90eca47c2976c908

SHA1
93a5a191e0fd53f710a26616a5f1d8532d97444f

SHA256
3774d09891b07d0e173aab2035bbd00c8a598c010cabe29ab04365e512c60485

SHA512
2c23bfeeaa5bf083024e6d4b5be921541190d7c91152ab850644ea123ece37702cffeb533ebc7ae45df3741fd01d98a72d05a765af279d696dce94c50bd9431b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9ce2154461c741fb95ab31756efff74b

SHA1
990808dd17c62fa4410caa842655e3d06c6b4a8f

SHA256
83ee3efb884af2f49851de0337c74cc7265891f60cc520ed362f8888b9227dd6

SHA512
c436b16e3622eab0910a5c4ef402d21826c347f43608b2be14ad4232cf08c6f0106700a4afd7a4d5fa60676b34e5e7a6239c5061c155a58234f61294109df2ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
843a69fd0cd2931c5b4e5a352ce93131

SHA1
ccc4e0013fd41032ad8f65b83eac03fbc403e7ee

SHA256
cd9ed5a865e1341b2ceead9119b6f0ddabf2762c9bcbd65481e85eeb10276259

SHA512
c9b20c3759842c6465ba10413b4990d2ef08fcdf33eee61523d9e39330762e3fcbb642727b9e8696e286eb8b7c99509493254f20184415eefcc6f116383ac9f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e5e66bf60178a8f148a41cae9e5c57ed

SHA1
27b8437e52289a34e1a0394524b77068cdf5fca6

SHA256
4c35d6fa04d45f900bfb4bd5cf89a20f0eb33a7fa49e0ce83af5a1b8a8f886dd

SHA512
16c244d53be508e2b0b8abe420d331d52a38c382dfd28526c05816390234a3da38a18a039c9ec7a34d0a1d7f52002c456d74da839ed56a15f675fcdbb887d226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9836b1d0e29afb76e3c6bf0a2034d700

SHA1
39f4f0c78a9bc56a553962794de97d966eb25f51

SHA256
1f71e981338104a4c202b1c9f2bf9900656a3f7e0cc59678225e7ec6f4416eb0

SHA512
5d16c09a5b95f2c819cc33edf9fefa15ef04cc96e053e933696c97432684673f3c0df4e268ac29885491fa4c09159f1a922689b9bff24bd0e5325c3f19821dc8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5e23f8d2ba871c873a6bdcaadb88bfec

SHA1
c2ca230318ce5291488c238aed36a08d7127bf92

SHA256
c605edfa4a2ec0eb53066668b039a9630151e1deef96eef90c17b12430e4d910

SHA512
0903c44f0a1b392ac8507553e869b8acd1c7eaf4c6ad22ae30f6cd855a9a33fba768967015251557e82faecf9e7e471206a5b97285c8788c5ee8538a2288cc4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
4b60c1dd2f558de8b4a2a70c367d4db6

SHA1
364355f51386d06899f98b062fad7c4ea5f7d5ae

SHA256
d19981b1a305f1be971deeb0f1ae02710327db053b6c89b30c19300acb3a0172

SHA512
41d339b5b4d7f29124e7e2da02584255712508372f520dbf4e114c8e957777f97a1cebe84c80aa5bf2e2c39a4229d6ccf660fdb7412a6d661eb6b854361b0b10

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
2c036cfc5ff1bd07d9462f549419d432

SHA1
c5a43ebaa7fc55658a0455ad1f858cadefe7dc99

SHA256
092ab4cc93f49d432991039ea95808c4310ea8eabf95356f5f7cc7b408dc4823

SHA512
cf806cacefe90101fe92ec5908918573e4b2d6652bafc22f3ac8b1feff7fcb1585de1a982a1c408aa9403e3fb76cd991b07c02e7d44b1250a04281d3e46e2397

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
556be2f60d0e152a20b9b030c9241e8c

SHA1
4dd785faa4e18d102975f5a2d86a01913fcc52fe

SHA256
e5f06df2e3b844d6bca2ebfd9a8a8a97a4a210f22f4deb24d46a33796910d03a

SHA512
c58a56911b897362f40b73afb4663a40bf56ac553d0a92376f4bdb7d172b0ac0cee1eb1a1aa5e4467b032a2c468e7e1489e2c2a6f61e049377c3a9287e6c3a71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
93e766d4e63359728e13aa7ac7e7ef25

SHA1
ab5e928740dc52fec6a0bc4e17b451290abfe493

SHA256
866572a7b567a17d33f04754e9728e1ea9327103a87aaea57cc4615d03292d64

SHA512
c0f3563bb9876c1ac85d17d0d18d8295c5f1b0decebecd70d68bcb4518378d9122e81eb0f543ea740d606fef04290c3774f3956134e09a3b4d2a5ba45eef5b18

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
08d2cfd172e6ac28ef93af6d6e6292be

SHA1
dfece680bc3dd108f64e176a5544fd5ebdd1fbb7

SHA256
a5028f36ecfd554a6cfd5bde7d584de732fc274bf141beac8c2e26a1769e723c

SHA512
80b063bff3150b1d9be135d7dcdb93b167f5eca98d76719cd873e73497b297e411b581218b1fde223341816d28893b139ba59c3593cd4466aef0b634184ce2e6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240429123558.pma

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
75ca289b93a3f113a66d71f0a95180eb

SHA1
e90eac2d4d4444177afb852a9f86cdcd10b25a33

SHA256
5ac2c3bc79bfffee2d07d5145acaa027b165dca94625f3f3e4209cd3846f95a7

SHA512
485099bdb6de07bb6498923787aefeec33c10e546ad52d8fa9cb2fe3c7d313d4bcff7cd2fc244a153116f50806ad67d9b834b102a4e48fcc84cfad77651f9e69

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
84e643ded79645d4ce135d87f8c03037

SHA1
ad8654f18c36f95bb895c07147077e2b8d3bd9b7

SHA256
756784d187af31bf7b520773c392e1f3503e97e1e9041ef7b3678d382c707d89

SHA512
4e664cca4cfff9c706a9eb60a4bf3c738fbfa9a1bf2c5c32e7eab521c8911279acec50c4b8cee1e8d51e67e227ccbb4f5cbd27809e0e983e45a1b4a772c617ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3eb4b9188a315a4d30e34f2eb8f8e17c

SHA1
89fde736db70290a849a4b96bcc9f9403763bcc7

SHA256
8032e6f3244a49b43dbbb078e461660f87fd44d342ed2ca5ee0a9b3aa6478e0a

SHA512
8ac9c263000be2607bcf3802c0a7e7cf8e804fbdfb788079019ba9a009816f4fb75275aaae6d119a30af76172a5bfb7b72e79807a17c336930f80becbcd65df9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4d467743cad7655fd79d782f3e88534f

SHA1
4d1779ccc12447fa05931c48e12d313423ae3c3e

SHA256
524c6d2a60595828cee3379ff774f133fb5e84819226242322d41a084a502a7a

SHA512
d270c1c2d775317c1acb1ef29b3d981aceef543d1f604d5ed096674ed21a5e5d151fa83a67eafc1ce1917790cf2a92b11f50f066c80b76672e2a93f662c2b601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f9f7d39bad95f32839a2286fa1a38565

SHA1
ed02f67d6f3158919ab57bbf2cd27bdb1463f030

SHA256
deb2e4934693110cd02d7699d2101ee3b7eea545f01453e25a8ee759891e2e43

SHA512
871992217abd987f204ded1f90af74362ee85d46b650785c1e1aaddb963c9af4429d6c9c9b348b746096d3a9506a9cba9d2fe6cd5dd79d3f648f04229c27683b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
aae341524e04553d681ec44d4a3bd533

SHA1
d093d2b43a50486dff28bb11b14fbde91d95c01a

SHA256
4a2fb12dfab156f7e81e8c8d2f1b4ca7215a22ba798a6c3c98011f747dbe3a9f

SHA512
c1b1fa8d8c86c0b7639572ba360b3be270ca401038fcebf0d43e175e69099135bd82a92876460accf3fdb4fd73237c4f8d71a114ab044ea89e9dce3c0cb0ce76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d90ee7b00de3c842fcf2951d293d026c

SHA1
9a3f620e151b8ac003ef2856c3b8b8dca3887de2

SHA256
4c5c7f2ed70732932c3ed106a30ddbf3e6aa831da6ca4f5140618d392f5b38d3

SHA512
584f66929be5048be158d12e80d45c1ad1cb62c2f0e4ecf6fe4959d3df5c520cf32a30f27b670cbc4585e3895b9613aef4f43cbf82c3a2fed64653e8d4e88dfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b66216df9dea8b7dacdde031d727920

SHA1
e9562a7be077fc6d80a11643e0f7d62825700f90

SHA256
d63584b1c99a249068860181105408f7e0c21ae97e5e29cf57b89db787bcd9ec

SHA512
641f410850e4f8686e571d9e5df097e517f373a99db52f5142c14e9e34986e4f8a5002c248b131743e8048cb493c7ebedacbd079d5354cad2761de0a7931865c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
25bf0bd2a6dbbd1bfd333526e7f388ae

SHA1
4a9041602284e64bcf9fec5390f2bad41849e2b2

SHA256
32846c287d7fde027a44bbe1cabfb74b95425732368cceb6200a55da83da33d0

SHA512
fe7899b1926cdad53abe8d3b898a9d23d46c445a4c9a23e2f48c8204f10dc95c029ccd7c2a8b578c69a4c107b8348202fbb6a8373bcef938f33fbe1f7af61a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f4a5a51c87321ca838a629443c122b75

SHA1
99c4df938d394d3cc56c64d2d0de7a6d54e38da0

SHA256
62b94d8cc96b08e42e7320f41f42a22c2c8752535e16be08a23c6b58e7239be3

SHA512
c1ca9f1c0b20203d24976088a56b0ddc3fa572e565e87de79056bb1115a1e28ab47aabf3a0cabbdf2152380016242650c6a8fed13d73e649d53239214528213d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c5260a7cd6dde55742fc5859ea40ad68

SHA1
9e637a68658fe8a8d26f62189e9754b775f9b2e1

SHA256
d707d41a853c1185f314b889a4d9d0153247cc4c8986b6319b8a76988c17cdc9

SHA512
2e8b74bbf97a5bb535a12174cd5f85e9258ba2dac389637886d5ef615fd441439b6eac88d8b24e4cd71da9a2310a700cd33dcad0aff43692a2f90f8131df6b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ac6069bddf99c4553ed6be66a09f7742

SHA1
376b7fc3e94d79e467c3b5fc8cbefb0a06a6e195

SHA256
e696927b679dae9333268b1febd8a4d30028cabdbc87886bc1d971cd25292b69

SHA512
2ac07cfc215feab42ee8fedc5ed4193ae867e471dd0813f0b5f934ff6ebafa0ba0fd1aa2bf281b48d08a427c7e551b08d753563f76368085f4d96eabc705d7cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b4e5d2160060776096ed2e4e1936a3c7

SHA1
8ea0bd56e955f503198beeb297ad98080ee41eb4

SHA256
b03d2efb2786856bda170bf349b0d9b7b6375d3c9ae7d3ee90ae855a590e735f

SHA512
ca5a3f2a31b359d717692448680062c2269a5644890aa029c3ab46c8f9908891de134d9148b100ea372d6973a42537ccb6a993503eaa6bb6e7f3892b68f2f450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cd7346b80f8721c8d869784eae51cb64

SHA1
4153f4634facc940ca797bbb4b22731568e98ce6

SHA256
68b9c41679b0c4ee02d53c20d59887cc5ef9b2c8ae1fbea2b8e7625326a95a56

SHA512
d2af4018da1b9270165d93deb38da820abaae08f86abc45165d7c4d57298d3c4060423158da9248533e5bfcfb26f85581281517e27c18538ffc038658e0ebb6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1039ccccb6ca0227807bac3c426249f3

SHA1
33161d292cb6d87b588241a8616dcb73f09ff9f7

SHA256
7579a08f44f9014c67f0d093e6f2b1c2ba392fc0cc02872905555dfbc77b9dcb

SHA512
613dd4f01c4da218be336b82d0b35243f22d7499430536bac73b942520dc5e94a6ba8bdf1eaef2f6309296216cd3a22dd8618bcf138d3dc426073fc3329e21f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aab2c3851c1703af23674d6d86841dff

SHA1
05a815f18f3b90456d09d2e39fdb05544c01f01f

SHA256
4b7df2950ced8cb665c6a54191c3b1b89debe5747848518adb69b7d997e5ed70

SHA512
50380bccea129c51b212f2fa37f80fe5da6e6958af67495ef68b406e82bb0b526f654affcc8810bedd526d224589be74b84c028ffdc7c774732018cb90ae7c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5763ea.TMP

Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bb35f2da95afe66862cf3e63a401526a

SHA1
23cd356a65efa04011c834428eefc4630f0e3373

SHA256
a2e773449cba1950d8ef74a6bd2011b8ade45a4dcfc715787823e3d3a50d36d8

SHA512
462b7a9d5de2ff412a0e0e49d5f651605548ad44cec66870cd0b3888b12f808eb452a67b9165fae419c33325e84e71d2fff14bee3949b9bd822b3148316d6d3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
a6a7326e150068ee2be4043a83f3a983

SHA1
4ca5bcd6d49dfc37211ea98c56b82678f7d83e87

SHA256
2540bddf941cfea7e24faf3efea3c02a11a7cbbd3ed438b2a52657c09c6f5a5d

SHA512
65d54148ae9a88706375d06a00865540589a849c62d5cb926afb49b68991610365b7cd89387f00c79d0e168b36b3e71fded002f8097c5e86536d5254120b9af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
fd22b00b848d346b169e1a1e7ce29d82

SHA1
9e3be3c45f1ec573e2b99c1c4af4fbe48270172b

SHA256
0d65580a0fe832c55f51749469a086e81e825e1238e07a2244c76cee992800a4

SHA512
c229656ac02befcab31d8710db9f2b142236559f165bc5ba0eb0b3d4974ca9867fb4892ecccfb4cc70d31b307e2da25dab13b91cfaf6c85b572f53a5e44f7727

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
812dc41992c1c9f8903bb1228fe555bc

SHA1
3c0bb7478291a80234c9ef766168ebde1e07be12

SHA256
bb491c94cba252c49b5104241cbe69aebc2b45118a44a6359f978f1d2fb72811

SHA512
744e04270ad41eb07e9cd0559b5b92695d05ed4e36dd837598a6dccf555a8e035f228276ba91f438428c09891300deddb480f14286ba8b948e9af3d4ef26d4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5f7bd30451375959108564e153919d43

SHA1
05d138b461e7e49806bd3248614519783081d6c9

SHA256
135a92759cc9631b751ff88de45e289c1abe365cbae586a1e8ec5965340b060d

SHA512
f39def6fbb227bd3b8ab898416c7ef42d9d75d5fd44a228addb398e188fc9d416bc85092d980c3a1d10f066f05d2877ab08807611f28ee07388637f273ff6efa

Download Submit
C:\Users\Admin\AppData\Roaming\78e2261a7489627c.bin

Filesize
12KB

MD5
ed6fe678df4f534d1ba598667c68a9c0

SHA1
bd42785b78f7f7d4f0e51dad4a4eb65fc7d92955

SHA256
92eb5565993e3fb460cbe1c8dbd8864b29286c2a91ed326b15075799c63a71d4

SHA512
cf5d8960f4e1bce1c00b462af53f51531216fd84eb9a39e9a5c6c563d8d9182764f10828c5ee02f2d0be9e3e6b5ca2c94a525a40af028780840ffdd887c2a33e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9dca25a133e1387d69bb6f11122c2543

SHA1
6d83576f37b5365074a80ac01204462a5eb5f4c5

SHA256
deb251289ba560a10d094787ceedea849a0ee4d6282a6bc9961b98656a4434b7

SHA512
7cf67dfc803144558d8e25974ac480163e557a5b6738fc60c1d70f85a0f6a3c5a5b457955bcff496b7b3f358f0390bdd2435eebccded6204b9e480c035471469

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6b0dae88f83806c9c9bf82cded4ae311

SHA1
9f02945a86ee88cf31a3827afa62cdccb6bd2465

SHA256
d2a0afa89018a50198b2e153a9647204f4d7e8a1dfc5972d80a58c4fd24e34af

SHA512
f23466541dd565dc99d4beb241c68fc438b849052945d8d86f7d5261d4c6e9be218c2976d99edc844ab3ec992e071f5bf147e9e8634abf4597b7d9da57c7e204

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b2de2041fdf69944df7527123652c23a

SHA1
ab64977b53e80ea820bb16340fe3d5433520d42b

SHA256
c8bcf36d7790def3c9d952cef6c3f42c72724ed5e9c3f111e8ff77c431cc63ab

SHA512
63ce33ceeadd5be76016ce09ca77cf77a7cc331c32c0b9d874de0390fd3d262b714bb049b0a03446e87c82e4c471ed128f27d3ad2275cd1ec959bcce114b168c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
314222eb0c9d1c739f26ffd193e9a149

SHA1
d448ba05d0ad619e67643eb97cf3b918d511acb3

SHA256
20ddf1569e3b4133bf15d579bc4bb16bc9d378f75618558816cd5717a7b7e2fb

SHA512
78970d5c09202303cd4c8efeee671694e9f12e64b0a76fb1fa3cd2855aa250e4216d2c7f4aa74ae9f4997fc39dfe00f94de47839381b4cb05610cfa6fc632cb1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
03fbbecb146da38f142138840c93d959

SHA1
7a24fd9698460d3ea024700f6ad59b5e38d4f631

SHA256
a61af415e7def2732b0af2b064f5fccb82622eb0a07e9ce0901499da85c96c54

SHA512
2ff5a67bad1e43543fb5224215740b2a3a019d4022915423d7ada947b5800d1c734f00cf368c7543cb5a160a596cbab128458678d36c9ada18b961e52e1ef0fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6c076e68bc2c3d039890815f1558f4ec

SHA1
331382a90e66af233636e021bded4140c1d6e7f8

SHA256
da6a421b85f082c1b34fec514adfcc78d69714c70bfdd471345583ae07a54321

SHA512
b600ffe66af1a1ed702bd44ea30e4889385af0a8200ff742d66282a70ac798fd525722653bfbc00186a3816819040aa95c7ac75938a838690d48ea8cfa2cf627

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a3f21d88ba98a8d892b8104ac48edf10

SHA1
b90c470f501f44c913bb7e46cc707211b8b324d1

SHA256
2f42b6c2cda12853569ebc3566447cf29f657e63e2c646ef2f9be6f7c75bf934

SHA512
b07fb9b42f80df5215e5096956430058c575124eaa4655a9184ee90a0bcb5a0705e1d15b1ca30579cd98d783411543702d4ede707d4ba19729f5de4b0aa2901f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
028e37d1c50a4197c4e4755d54c76d77

SHA1
122e8959f73f333edefbb32fd679e92d20dada42

SHA256
db301fca8c981d038e5c86671cec07d21a69b9e827ecaeb099b5fd8bee88f6ce

SHA512
c8cb258e68718bf3af89c88229b9a44e1750f36f84cabfd7294c67c703fc761f2992724fb689a6d54903850899d17bf780d0c8461990aea81414c9dc1612f90e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2259cc840db42eedf675a4f016da9d2b

SHA1
76685efc2e0e61be9794e39ffce4fa856c0e7017

SHA256
cc1ea0c05a83f1afda8e0a6b2d60ce90a265c99675bd8c1458f7b152f385bf7b

SHA512
c3346d107fd7b89cf8622099e3d35bf39ddd189a4ae7bdc738112dde804a3defbcef43584dfcbead91e31be5b2939331eebfe0d87665875ed3e267efda227d6a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
26ca8c4aa850b1dff58194bca73463c3

SHA1
890e45d2f97ccab17fdbe19f26befc62811af247

SHA256
411abf98ce4011b7dd423e948465f9b31ab153addaa82104969d6e85ebe47799

SHA512
a88a1001ed12affa2479f5fafece52ba6820f75f75a91cd39e181e522ea9cf0e2470758554a81589fe5a423ab02f825ca9be0c48ae16804fef1222255665744f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
8eecb342bedc2b5b2729b3e532f06f1c

SHA1
1c858416938095bfdc516186a1435e252eabaec5

SHA256
3447697da177ba63a763b4a0462975471c89a633ad5f6be3573d221baa66d770

SHA512
bf9d172cf3b4a9bc005e2d19f28a81a061e218ae7eaef07bb5fb61ae318968eb2db52c150638abf1e3606834052faa94a05f368c8e747436b6a1c169f8dc03d3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c44df75d411e11f80ca2a72eb445bcfc

SHA1
bf5ae4ddee267257bab4861b26e529aef174b1c9

SHA256
545838825685201d42d1e9ac71ad4e8703082c3cee68140477da4e8145f53b45

SHA512
fb59f79eb31f9341dc343359a36c7ba8cd28587e6cae6bba8e450e61eebc09521bcdbfb7dec97d40bd3931c98abdba033ed0645a5c2731c766dfbabe2a90e86b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fdb8ec615a3d84b462596908d77e7109

SHA1
94722651004d7992836bc15a50ed4e5bcab2c48b

SHA256
9d81be42d2ac811b2cf9fba650e2f8e01c783da92f42c92ac3d6d04b42753c49

SHA512
396f4af8abe5a66201dd9984a5c001493d156e0f6805229bc8b5df538c84aed88cc4c6c88f81f7ba3fa9194cd33e81fe0989ca2d96a231ef7ed66d6aa7b8ac02

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ab84a1cb2868e00dd46fe53f145b1d81

SHA1
fb1e67a66ea295de93900dbdff86624087348d90

SHA256
9da401f5fb3e427a00312eaf349bf8ff78c2b3560d9f04afa816ca663337150c

SHA512
12de6442ba87186ee110fe50197c325f89e67d9837c721ed8fef8aab2d88895d4cb4df47d94409981751bf812b1e6976e08da14f92746512dd340996c6c52861

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2cef9197c819c80ddb022d8c5184f379

SHA1
af407aacb0e1062ecf24db207db09a33d721ef12

SHA256
20e8633d8eec0a2bca6d1999b972dfe7d618087c807b42b7f0c9af3bd2c6fd86

SHA512
66fff15a93f0852eeb647c4928836788cf38a06e39b850444eb2f81c4ec67b8992e7aac1b1a9ef458903e4e2847e6f2048566ae9882db73ec9997b6152b4ae1c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aa280e38059eee2fcf3c5faaba3a3bf5

SHA1
fa0a183d43bc4925f8adfbc93bc4b433dfbb315c

SHA256
a2289486746091e3276298205652de392bc4c7dffcfe3ccb9adecbb0448145e5

SHA512
4931886b6dea93413d5d6a1bdeb07b5e96b1bd61fbdb04e72973aa8a5dec825cce05665c4342d98d9c09556de1ff62c6edc8cb1e8a94bad1a4a8b50ef156b6af

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
cf847c8070940f2f44f0e5955d6ed3c9

SHA1
48a7d52972237de0e93edfd281bc81c5c28ddc74

SHA256
7567652143fd10e62e494c88e179b2c8ed266a0f89037f18c492056553fb2237

SHA512
82bca7490a2d9455c9822f1e91a69e3641382d4735207e01474291146b021d66de7b46996cbb9c2f059b9ef3cfc472886d977a79fc1736a62ac1eb59a1c5387a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cdb7b31568585603a338956d9d4f06fb

SHA1
6036b1d36c8c4e17f731dd28c4a866bbab24e234

SHA256
815b0df9ae31c7e533ab6e15e7012095f2041679be27015dea92aba80272e1a7

SHA512
12a8cc7770594710143b0a037384a284b34c7ca071d7749705c00a25c74491c9df56f41df52da69ce6f26223495d26b81bd98a69c462453e967ad38789c96bde

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bf920bb7e12ee3d35b3aaa90843a4f53

SHA1
ad6317f054a19c3f289588ebf011284977e8d52e

SHA256
78aeeb67bd79e733a689ba7d29da527b8c9fb517da67b1b77458c8e93fb759e8

SHA512
fc4849c2dd0c992cb02f558980da5fb2ad76e3bf712889fdba15068adcfd58d8bbe2d70bad187c0a6fdafb296bf452fe989c433e468a2c3685e5515dfe9cb43a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
327600526ddb0e2ddbb37b81e11a8561

SHA1
17813606bd351f5dc0b0aa34a10da3d7a9bf02ae

SHA256
3543c332cbfd2e0a95ae1fd4607907b22abd0d1a048b5368c852c531e3b8dbf1

SHA512
7a3acf2d6504331b2fa929672f85e4c25af7a571f97f900265523d8408c2c8881cd4aa0b519424cbab961a1dd83d28304ff45c97f708d588e5a3192b869c9e11

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
e94eaacdba629e41176c8c7b95069022

SHA1
0265a1ba7551acfa12615260ff705094c8709ff7

SHA256
b3f38cbf8fac73624c020abab51c77289d096999f91e637aaf968dcaa57a3cc8

SHA512
beb14bf9f3600383b69895a3cc9356ebe863dca2304c421292ab5ed857db7dbc7e0e0c2e86d8eb7e6d19763c378b8099449a7cae76ca497e736ca6ca17eb8da3

Download Submit
memory/548-301-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/548-144-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/632-162-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/804-617-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/804-237-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1004-0-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1004-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1004-22-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1004-9-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1004-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1252-167-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1252-429-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1348-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1348-469-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1348-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2024-453-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2024-681-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2448-179-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2724-236-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2948-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2948-53-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2948-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3184-280-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3460-616-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3460-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3592-201-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3592-499-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3628-161-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3628-18-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3628-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3628-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3704-41-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3704-35-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3704-31-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3704-178-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3896-74-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3896-68-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3896-78-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3896-133-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3984-260-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3984-257-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4092-95-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4092-104-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4092-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4228-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4228-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4228-256-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4228-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4320-134-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4548-281-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4548-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5092-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5092-64-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5092-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5192-665-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5192-293-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5292-666-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5292-302-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5520-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5520-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5736-486-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5736-546-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5892-682-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5892-500-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-442-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-560-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download