d8939e7cc7faee8d3c26dbcffb3f22ac0686a6f4783ba60c2e3cb7a5de031cbe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
Size

5.5MB
MD5

40fe9e4429c90eb6b342a89ee1dc92ab
SHA1

dbe5d65142538d04f65e32f86673aeab1c32be18
SHA256

d8939e7cc7faee8d3c26dbcffb3f22ac0686a6f4783ba60c2e3cb7a5de031cbe
SHA512

669599e8607b557da4a32300f9c4d7b43940d6e72a266b6d106eada8abd07d8c2099d7b24e8b1c29fd77281b3811abde6e71d8f31ec579d85c8727149fa8fb99
SSDEEP

49152:ZEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfS:NAI5pAdVJn9tbnR1VgBVmKDb0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
5116	alg.exe
1400	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
2364	elevation_service.exe
4820	elevation_service.exe
1300	maintenanceservice.exe
4516	msdtc.exe
2544	OSE.EXE
4648	PerceptionSimulationService.exe
832	perfhost.exe
2032	locator.exe
3528	SensorDataService.exe
3440	snmptrap.exe
960	spectrum.exe
4840	ssh-agent.exe
2340	TieringEngineService.exe
4008	AgentService.exe
2164	vds.exe
3180	vssvc.exe
4252	wbengine.exe
4656	WmiApSrv.exe
1424	SearchIndexer.exe
5800	chrmstp.exe
5956	chrmstp.exe
6092	chrmstp.exe
5200	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\37f1910085ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ac2d6c4f79bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590627312742365"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f39fe7c4f79bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ec963c5f79bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f0896c5f79bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000866661c5f79bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000344391c5f79bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000977974c5f79bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003125d9c4f79bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5771ec5f79bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
3852	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3312	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeRestorePrivilege	2340	TieringEngineService.exe
Token: SeManageVolumePrivilege	2340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4008	AgentService.exe
Token: SeBackupPrivilege	3180	vssvc.exe
Token: SeRestorePrivilege	3180	vssvc.exe
Token: SeAuditPrivilege	3180	vssvc.exe
Token: SeBackupPrivilege	4252	wbengine.exe
Token: SeRestorePrivilege	4252	wbengine.exe
Token: SeSecurityPrivilege	4252	wbengine.exe
Token: 33	1424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1424	SearchIndexer.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
6092	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 3852	3312	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe	84
PID 3312 wrote to memory of 3852	3312	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe	84
PID 3312 wrote to memory of 2736	3312	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe	86
PID 3312 wrote to memory of 2736	3312	2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe	86
PID 2736 wrote to memory of 2456	2736	chrome.exe	87
PID 2736 wrote to memory of 2456	2736	chrome.exe	87
PID 1424 wrote to memory of 5076	1424	SearchIndexer.exe	113
PID 1424 wrote to memory of 5076	1424	SearchIndexer.exe	113
PID 1424 wrote to memory of 2724	1424	SearchIndexer.exe	114
PID 1424 wrote to memory of 2724	1424	SearchIndexer.exe	114
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 3176	2736	chrome.exe	115
PID 2736 wrote to memory of 1608	2736	chrome.exe	116
PID 2736 wrote to memory of 1608	2736	chrome.exe	116
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117
PID 2736 wrote to memory of 4472	2736	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-01_40fe9e4429c90eb6b342a89ee1dc92ab_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2ec,0x2dc,0x2e0,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0d99cc40,0x7ffb0d99cc4c,0x7ffb0d99cc58
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:3176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:1608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2212 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:2232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4356,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3784 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    PID:5652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4660 /prefetch:8
    3⤵
    PID:5756
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5800
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5956
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6092
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a8,0x2d8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4844 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4824,i,12573166431707261936,4755150270517801439,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e250d927b991ff71d7f863c2409f5bbc

SHA1
3f7b8c7109b20b3fc95fc97df295d4328845eb23

SHA256
1f1291837fb58f525ab62bb7b7e36f6d63504e318ae3c27bc6450f1ff9298c68

SHA512
a84574e5920f36ab3d9acc76d0e81bc651f63af761448deef690aee1275ccd113914a9dca83a1f6c526430b4ed26787a9dc7b17ed38a87b0d68833ed19ce2e18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
596582cd3b8e36ada89f3d989ce414a6

SHA1
65598691cd9bacb545f4ecddc425dc1e2aaffc7e

SHA256
9fb7ec9258633a52a956d69255a034ecab51eb8f19b182cf527167320dd39a7e

SHA512
53767b45e988cfcec9e78dff8455ee7c27743226e972667e84cf0f698c80acba6a93ad2713f15abba62a85ec43984bc85453e388e623c51f0540e77e5d44c675

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8bc7c67ca73f4f06deca08f135a18a9c

SHA1
a1d4ce9699917dcad54dc694d8b6a3a1851721e4

SHA256
baf88007901f7bfc646c6b282a4419593bd7aa9c387b7d86cb38c04c17f0bdb2

SHA512
2c71e469ee2228dc2229f2a8ec25d6a44fdfea45a678cf37f1f179068252d1bf828ecd02bf13804677b1558b7a71a4ee92904e6ffea62187f29ba516e714801c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2bf26920ad85d365b05b820af64e58c1

SHA1
e5da126147710702714124554c74c1804d77c5d8

SHA256
90172c756422e7d33174f4d1d9ebfd8d04c74fbd7cb62c3d0ac48bb5c715e8fb

SHA512
4922c37085efc87057c7711c30985304366c2eb180daecc053b3d5229d75d650f867cb129df41ab60ebc49afec3e638438952e5033eda382a876618133a38f21

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3eed9719bddb50e860f700f1db6b10b6

SHA1
0e84bbe18c9ce20832e7c643eb04e9c8ecebbcf7

SHA256
e20127d7c24dc149a2ec195b5bbf0b5d4fb43d1a63497ad24cae11d5891327f0

SHA512
ae05ac1dce71ad62421095f85cec0af4b79f23407add2ba45aa6de22a95f3c4800840faea791e987f939a66a616e772552d3de9c87f07379eef824d24f9d372d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
38d6d222590900356c83c533d2ff48b6

SHA1
cc74e6d2e51226ea0231cd51d191d2a55f9fe746

SHA256
757ec9a976846ea067c647f5e8ea1208c31e6eca2bd873154b5b741161b1219b

SHA512
359d914678c317652b7f6a3ab6a25271a38eabf3c9346ab3435f0105a1ac796100f8557a49f52c1d08b930278077706b6c7253fb2f7e281073b58c37c37e447d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
3f5b0373c8ce87efe7b2b6b1764ee08a

SHA1
eae3b12c891af0ad76f29bd90d1125f44cf9bab6

SHA256
9f36e6aa748b2ec29f4f43cdc3a7bf234fe95c08cb183ac6879418122a8e4c3e

SHA512
72e2d706952278920386789a87c53d8fb6a5c130e511da43ef5775c09b542cbbe8a2e98266fe6b1d9be49d194c02c7cd4f92bb94f7453e29a11b0aab511b3103

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
600c7f804124d65dbca2dfcbe48e02a7

SHA1
a64dc094ffd6dd2c4a64cba022323bd78139ad02

SHA256
ba08aa5daf83bb3a4b1d5fec50e69bb6cd335b4c3b5a80c9dd312981ab1ff821

SHA512
9de5a23b11d82177009125e8a88d3032c769f3d019af7affcab97de4509a0658e1a92c293f90e41cfd24bad2edf0d37224b1b2006de7df21cfa10db1adb82896

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
223d14063ac2505e7741367cb5f6b418

SHA1
190e70a6a379ef998c8587cb8a5f45c0d8d2f36a

SHA256
c233d81234d2cfe94faf24a5f3619d16fa1328b870e61de81465433644df6ef8

SHA512
70e90b16d620a974552edd43a3d47361376249904542c5e08706df4d07c53105e138ed4795209012bf8e7486b6086abdc8e7e089184d186f52be93522b1f0f37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
96126ea0ea66b9b4b1d6410efe91f441

SHA1
063d487f258938c7b7d9efb53a0a9bf54df49ac8

SHA256
de20991f0659c163ba70420a6d8f380b54595f0096ca31aeb19baddad1309ce2

SHA512
e968f7e2776c44d73df1c7d51a6055417db4deeeb72add663c43410119d43ea230d372453ffe8294f4228cd5e2f925f6972bd575f6595c6ef4a05c219eec4d9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5ff555452063855a86d61fe7b893051f

SHA1
919fc86075f7eb3c9cbd752f2228fa2cb746e45c

SHA256
79a60cb8951e86fdca86939701d49a140f02299ee3daae4d4785a2e3d7dd8f8f

SHA512
c148c5d7514823f13de1dd5abf859aa6e33a1bc0ec3510e5234c3a9aca9d4e16d84de6e141165bb80d6345747d0548ab080ea39cdc47451caa2bc5d62b1587d4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3cfafc9782931c1e8e8525190630db94

SHA1
ffcf804b13af7994ce6ac81027a0eee32f1a3637

SHA256
5bb9d88fa0aa38229f76e09bf53590362e93b2826a1fc68fd1dea0ba25593453

SHA512
fde0ca6db7d4557623ded0428b5679d2a2b92df656cb2fc3979743ba4a1fcf831ed557628cd30554a584fb6e993fea9c970cd259bd503e1930a29a8b2471148a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
78330c205b8ca8123e158cbc325a27b9

SHA1
0bd2df29bb472d77bdcda8e43c062335cdd4b70e

SHA256
c64a4323ce482ecd035a01debce4d0a5fea7a61db8f3876cdeb618a8a788b449

SHA512
8054f50cd0c8d0ef184eb7388f0d45eebedf6e61ad3e504c54420e873c4aeb5d19b56ec0ff539d1c54050f8962eded4258f40f50dd690818cca8a1d950b040a4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6a197a833da5aa5a9bbed4455c291a98

SHA1
6144378316909a47270fa84971dca2cfb5b9906b

SHA256
044318693ccf6dbd1124aed67efad85d675780c1557880eb44123922412676b1

SHA512
fca1f505e3ae56666f4d30c6911cb76bca52caa3363c428fb2cf3b2fd40059378c27a6eda5e85f91176ce315482a1a843e6559b835c29f374cc1df76d8c1c2f6

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
74065e6026611a53e5d2924d172fa73a

SHA1
2f3ae5b2a1a8301eeb66cc2d76148b15d924ef6d

SHA256
08c3ddf2cbd177242db08a37816816921324828817bf423bfb4ab9fdc41dec4a

SHA512
3247bd9e267c5af0a67badf63ab09578f5417bb6137e55c896ce9d141a230733637f1a3f80ec8109f6288f0d6957daef3f606f9821918feef560eb52c6e95f67

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fc89c7c2cc2fd89d2cc184fa079d4922

SHA1
489b4d5bc7c16b0cd0618e1421c954e2e8a5bff7

SHA256
db4f5cc66a89da9b488cc4efc1b1de2f7772a6be55c23f242b4e1be1d8f34040

SHA512
f1fa499e000660a2bd11cfa1e555927cd0dff480d903e3c1a9560fb1aebe825161107a89e282bfff3bbfe905094dcd8b747621241cc940075e9ef37ff8f342f2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3deb18f675d32755f706853d835b4914

SHA1
f049ca1a4136829334b4faebc3af4f80e6d699dd

SHA256
2e15610238173a0683bb447509e4a20fd9125075e22db12c71745d88b7e3f737

SHA512
f525e8ab290b69a86c12ba800ac98c45ce575e8452446ac73078ecc165aed5d0163c228f27b6bb905a8dbcf69069fbed4cbfc6628af0b9e95e6952a4b9288c65

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ea9981a31779132c38a623445e567e29

SHA1
7f5b1edb424c777038e78b6dbfd43e5d5e38e83a

SHA256
cab2ba4cf6d87431110c401375280c6176ef75120b1da915dac1f7ed1457fb84

SHA512
0318abdfe56e6e7e8011d2bc75ed6d884e1108fed8f7f439ed05d1132b19d79bc5643dcfcfda125c78df8b66568e48043da3d266ca98869f1f90d62db1dbb6ef

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6e7d0381-f9d8-418a-9642-0fc22b4b8606.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a46e988a1a3e6b98b59fe89bec592936

SHA1
ce011322fd729300b7af4625e9be1c66ad6fb9b0

SHA256
0566f91b5ed3034c8f35849c76ad5c07bf06f06e9471b6e702465eb9b8f933ae

SHA512
6a6462bb16848d2835e02a43413e2bb9acd4979e68cbd40bab640e174cf1e9cc7de9f099567766b59617d4e50b4828c0d5fedba42b8bc6adc1d444af08089378

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
454cdcb306610ec5a8cf49dcbc1782ff

SHA1
2f60309abf832691218a3cd7381af067c6d72621

SHA256
934649fe9512bc95e5c007a3ad0d771a8466ca53103127da6c9ced5fb36c4690

SHA512
e7763717c75ccbd46b03be6e65710eab02d30338a7cb20141839dfcc2fdd621c73f439739f0c25956cf0d3760e35c18a180bedc896a252d51006138fd87d059c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2a8777ed5f115932698c191c268f4340

SHA1
f4181dec474c384872f66f16468df5e19f8142c1

SHA256
9520e29e65716fbcbb1dcf4e097589ee10eca0fd6f7e2cd65d0a6a70d3201b9c

SHA512
fdfae790336ddc45db51899274a9c50e70bf6e473aa6987e102e2792985d3a4bbf909164728a0651b878d601e25e4e98d16093973bb8a35d11880cd18bf9693e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3de7c15206f68e7fa7a1e32dd26a6417

SHA1
9c63f3685f11add097cd0bd2cbbb2a2cc65626b8

SHA256
dd6a8dd2a7a8c90274c31fa8326e9ddd53f8e0dea96bfc5867a9f08a3bf5d505

SHA512
0a82c29d8e0d2194bfae77bb6fc04e0848994e44dacb63aa5d85854c2d00d999e502d37710eb55b1ef3827931f05efc770e88b43f39a5f7a3c6fb788a6888251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a6601335ae9ce0aea304e58772235b6f

SHA1
4ad8d6f8011a32e41663b6b37eb30ffd949509d1

SHA256
050e00ffb07cd68e6e9fa9f771e87bf0f8a213def4aadfdec63240ddd460979c

SHA512
e6cfa12e6af40832782cc1711005f418ef65ecf1db4e39702c1b103783ad7c414e4536f06798c80b40f92031a688a08669ab4d1076feacd26a78b0a1c6bc49e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
225d65d348a79673b6918b915c9f62c7

SHA1
8e3db0556687e98e7c2b784264049a1bd8fda429

SHA256
a85e3dfd4d681f5c3b2086ab91418fb17b2e7f6f4e888fb570c65969d3c0fe4d

SHA512
4e7500b69c3eb95f53d614600382f0a78995ef23781f725040b5370c82b0bcf16ca91c73c945f8810ca508e22148f26bb7ba857201f85421922c9c71c350777c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ec9ff00cb58aa0e64a532bff033b973b

SHA1
db8fceb8a04d7df053f3885f90d8cbe3ae6d3463

SHA256
07d682aaada7f90d5bde45dcbd7172ace00b2526651a8fcfdc8ec38c50aa6a4a

SHA512
7ff28d560e9850986406f054e8704bda88d80bebe45dc23c2b4f0bb83894c986b39fec7177480bd64fd8df30e97903771703802d6cf057e5f4a5bb3feaf35e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e60ea642392f07daf48cdc187dfc9c36

SHA1
d3bf88fc9baab36630f859b4ef1d8714b4e7fe44

SHA256
9dc56aa5d9c9d8ed31439ecd0b868307769d34a2d9d69f16717fd23a0dfc4d1a

SHA512
b6ca7fbeeb65ddfeaa690e381a212ed9c136bb751894c017bb43785cb45cedb0fb795df0504a182bf32a2f65c467e09d62bebd97ee4a72b1eb2fe238544a2906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
36807546a4be505e1055e9a7dfb68981

SHA1
cbd38fb242d2b22ddf54da9be2531f8670837edc

SHA256
51791aa063106489d807d5fc85e27b027cda3424260ee2be3ea339a4bf013bf1

SHA512
b476c35699fe15a6a8d8c441873d888e4d10b955c7162eb2063ef85effb3f4cdc0a631cd53813fc1852240a43a61c52c57dbbf2020e67cfff42ab8da54fe87b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d3ec2b80f4c16b12dfbb2c2cc7ad32fd

SHA1
4a9dc2602a7a8479be4f70af5bb3b902a23bd4bb

SHA256
4dc43f67b1474b8e95166ae2ebf813a81619ad6f76da739d6b427ebde49a2b5e

SHA512
8ee27b6f2b909a5037ef6a5b3e965f2c352a41363de90ae0b14e321ce6dfc75909b8b4201442a1c5bc48f53e21a2f9f1bf32733ca3771faa6dfe809e23b23f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2b352dd2c416c6a6336151c574ce97f4

SHA1
6b6f2a22fda3a44430a94eb6215d7e21183fd2c9

SHA256
b2bb35e39dade09fd61b2867a1fa3b6f406e44cc3bb74eba10c0b6184b494c69

SHA512
45a9935ed034cf0f1172107c41617529e656283a1c1bc7820eed22410d327fb7541bbf4656604c3e38cec7b2060ac0616feddd0e7e2e66fbe788b7b279a439c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a760d1a1b2479700a21f1593b375b5d6

SHA1
bab67077a7fac486b159c6eb6430aed8a62ae78f

SHA256
dc007c2b5caa3eb097e3a2a1870f3bdb62b0f08393586109d52bbec1fa094bbf

SHA512
be5025c9cb0f20af08161f8d1567a78ac9a7ecbec0fdd738b71be061f54b9bf59256dcd1dd3a9f64f4153926a27562a0ca46c9c83e5323e96a7c74c319275619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fc4fec50dfce631c63aa35063a80b085

SHA1
449222bc20d49d2b81f277bf0ac156533ce79bf5

SHA256
445dc6d32e024e1c259ce1234bd4268d7fd50eb16078eb5d8ee81c59996f7436

SHA512
3d853d60fa9c8eb6fcb83290683a75c50324194b9cd7e7cb08da5de5cd6d3f6bda9fa871eab9fd7a2bfce56a8ec89ea7c78a688d02bfa88fbfa4ad596f5b2191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1c65ac25085c358383af794e3ffc2e83

SHA1
5962d96590688c14837890b0576b5f2be0101f04

SHA256
abd6d6883c26166964ef7535c319b9911f0cf37cc917fb6d3338e068966b6169

SHA512
6788c08ac4714053700c10412b66f8abdfeb03b539983f3d8580560f037fe2018dabc9351ad4b6de1ac50825ad3d0a3b8981a0651aceb64edafe46925271c1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8fe90faf5804d52237d85d79323062f9

SHA1
34d392625be08ce18ae7c7921dc7c2b93cb2b08c

SHA256
7e2d5cb96c4940ee23e36e5f5c048dc55838140c86510e55d438d43e3bc01c16

SHA512
bf38a694139bb02e98da9cf2c6782437c66fe45001a5ce62a0f878024526be6081f3f0b754b3ebdcae98ae01a96f243b2d3206cbaa3e387cc15e5b19edba19a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5779e3.TMP

Filesize
1KB

MD5
69f8a9665c8123215c07fdaa0f1bf0c2

SHA1
1b2debf8c91062f49114dd637b86a231b588ec7b

SHA256
86c766084c1d4cc90e2f55d44636498026d07c9c558963f1555f46bd392c794e

SHA512
80f64ab132eacd012ca7ff52c54a8a04687f938360baf50b4d00494e4733d242661abe0ad5bace0a026796fc953faf574be8f7a39202f8800a608eba2045346f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
415d4830b2b626da9c187d60ca322a33

SHA1
4caca09de1aaf58b246e5e8646c35395b3fc886c

SHA256
4f858c64c24b181ef1a9d52eab9f3d7ac54dc6981ebc61aadc92adf72e3f1e88

SHA512
ccb9913dfc9ca56985749d4cb9b189fb64d033e25fe5d0b9e2228c305e32a9785770fec25e808366df2640bbf0b831398e36669de8ace84176278581ad217aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
b5b8c8f09e08aff81961fa2a128e0712

SHA1
afd9d077781dd9a3605859ecee297e261b985325

SHA256
13b1580e182fcc4c2bbdc15d357754a4fd9f1f27c48460698a19035dcff825d5

SHA512
f327a29fadf9430d001140c02d82e00de3bae7696a10f38485ff2f8c7ffcfa8bc6eecaf78876577d36f1e9c834169f5f16fe289445a0832fa29dd36908044cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
bb4bd2bf4e7d8e128cb36cdb56b1e847

SHA1
9e3f40c5169c32626d68f6bd0dab3e5a42784ce9

SHA256
a6596c51a83ba518d05625a2f7bd738482ebb317e06cd5561fae59a9ba28445d

SHA512
2d31a99da576b34981ae5e40559456ddeb4fa4d5a7804c862c2fcb6dae774fd90bd155553af6dd1494ad3b82d26d08c3b13d08e616fd0a10c5d52f25414cf3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
85dad700b7f8af696a31c0f4a788524b

SHA1
69b64c2c236e64b2d2257c03453f82fcc0f51d25

SHA256
78bb7bf3d3755726cf6e02fe8efd27f61b952f9b2deb76d6fe6b935d896406c1

SHA512
1342938e92f101e9e96cff5c401f0a9a00ae29b8565c0c9da2100ff46e101075c70ee9844d4a0187500d56c136afe0cade8114e8e4bcda04817f1ba649af2513

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5a7d86c3bcbf64bbdf800c15506ef8c5

SHA1
763ba095c01283e0c9070ea3e46364ec4a951f0e

SHA256
e6e8d347ae59b8c5a0d3d4f260743b3647708e433c4d2a60d0ccd2ad1d741b9d

SHA512
e123736224930d6715628e3c65f318c007590832e52b3550315fd45ce7cfd3762a08634b7f2e687824b73f2ae84077f7de5b5c58c2754db597f3fa78f7718af4

Download Submit
C:\Users\Admin\AppData\Roaming\37f1910085ca13a2.bin

Filesize
12KB

MD5
968c3cec8cf9fe08200096563e553f4b

SHA1
03e6073d0fba3333385190f89bdf1099df35e82e

SHA256
1f338ee0ab22d947951208e43eaf25695c6e0025ea6e5a1fb503705f8ee75c86

SHA512
de39148084543dcc8ffc07b8f7cc979299084f9d676377991a8c0233d42c9628154c3ff06421ca4839efca50768cd6172bd541a7783ebb5789ee5de371f23685

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
24f74f5879edf265369ec39600862a03

SHA1
bf07051c8c17bc9971e20b9fdee65295d56b6c7d

SHA256
852c09b8a04b49304d8bcf71d02f5a664b8437fa805b5be49c2cf3f1495f6290

SHA512
5078a285ebcd54d2122f9cb7aaea624c941217a37f819f05ab7dd211f03ff278ea06a944447ce579ff82817644081232d9ff4242985fbfaf4072390e3889fe1a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
75c90e86575e04ba6b8d18cb37b4e6c4

SHA1
ae14aa7be713bacf236f9b6ed2f21c9f09f3682f

SHA256
287a01d4062f036db683020247f4be6aacf42aba996a1efa92fa438cd786f5ef

SHA512
b84a726f75c7f34b345e5a5283dd05e4b4f0e14ad53c91f9e0cf449cba99e44617f380e42b7fcd85f04aac191e0b51efcb75eb1360ba239dd4e9b7d76e8282c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1f51198f0045a58bf22b7a06a4e61101

SHA1
23003cf087e7d6e6724ccfba705dd782c5a41e37

SHA256
345890b228963812a7d3551808afbde60a16e3ab358d2c97e7a7fc30b954d89c

SHA512
7cb25c1e504ce7bb7bca4a3391a244fcc2e9ec6b94b213c094ab843cc186ebae5649fa3cf00609f3fd014c2c7ac0a301bd4398bd326cc2f470e5662d84168978

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
47bc1409f70e8228fb37086c89dc2fcc

SHA1
b314140149c345e1ac40bc87d692bbab182ac27e

SHA256
1bf4cbf1fcee8756050055400d2e7d6aa2680219f112a3fc8c7413bac0cfcac2

SHA512
760956f915dd09ad58373e43854aa8c047dd65abd3407bae874539e7d354e3f32a9e98706db3a64e1b0099bf633100302def880196cbbefe5e19276e6ab7d364

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
47b947efc2c9384a02c1385197bb12ab

SHA1
0b8b86dca0be42ff892c022530a35bd662b6a597

SHA256
8de7188f61f22ec10d84696466d8a5d8631cd036e66f680c24b794856248a376

SHA512
9366fb5aa211627f9a35efc7e4e5f7437097a91b69a8d8203745718fedbc88badb146222fb000127c1ffaeae4be98b1682f125a8238866080fb9eaf550dd16a8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f3ce0fba26247f1bd806d2fce3c279fa

SHA1
5e64bc6f53d9727e435f6af6c62294d28f714566

SHA256
17c61db79fc450e438626a88492e89ea1a1ca17c5c0fc49bf9a5184b189bca4d

SHA512
9500d539edad28bc057a1bbc4e8965d73a2ecafe3f6974c9dcd05e0ddb18afe2d8549bdae008ce18f398edbbd64e61c4261a8fa787de976adf5d3bc73d414338

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
e9fb9642dbb8bf4bfba4fc6f36299fa0

SHA1
c6754c7aba614f8844929ae5572bd6804151531f

SHA256
5560251f339999158593ec06dabf6bdd5fc43510b1f0bbda48ef308773e387be

SHA512
94dd3d398c170c45f57b4bafa177d36a01296ca2313ab8374df64fb5e078ce68aa4066c0e724ac797c3c5e52206091760d978383300cb848e6db10d1f9879b4c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e139227cb21b280db208089f97e0808d

SHA1
005c514b608bb399b8518056282e2e8acae02284

SHA256
623d28108f9fac472a0302fff7884531b965d7179fcacde8ff90b44917991d37

SHA512
78827d6698edec7c4a410125d767f482d78f1f8425bfc7b960935f578214192465942aa6d98acd00608e96b60691d91d210a03fd687e87001ae3bdea612a6341

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bbf1da53e236c16149e4fae8978b95de

SHA1
9e273a59c45b7abbb931c1f9b428a82dae20e784

SHA256
592bce7d0939e6c86e3acb4e20c15f203f09ef44ad125244dc829cca4aa90d63

SHA512
c2b8858a90c1c3fc8f9b6e25fbaa3605be5ac9dad4121c510bc77e816a30877b9f1e89456c8ecc209aa7744e2a71017d16a6dce41fe661224823d5c29363e9d4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
06c9e390fc18e21c59ed8d155204a928

SHA1
291cab6fefe5774c07a1a4b3711e737d5a0c0fc5

SHA256
4b2d9746a4564b7bffd4e76db0e0c5ba2cde29c506f9532554e3bfbb3dde85ba

SHA512
097b914d58fff9e9ecbef5b560cccbe1b023149d8942bb87fa0899fec2e1a6c3ca2eaa2b04b3ec75f7c52f0461fd31eb29056cff3c6bc0eeada35a546a413b0a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c6af5725853e76e685c65b28b6aecb71

SHA1
5faedd79ccddf2527169b9b54189b1898c2cb804

SHA256
2c2f8a2b6b9332e665897d4eaf4fd0024e49002bde58a46aea36a6f59177ea8c

SHA512
1b87e82732a551b238a9ab47d1ec369a63b89a0146f9aadfec3dac44d8f705be326d1cd4b95dfcc139a593b8a2900430d09f4997afaacc3befec18500698bdd0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e7743a39cc843779ba086245654cf8e

SHA1
d65f085b31e01681c36fc1eb5565523ef6571d86

SHA256
b8872abde1e9222a4c18ddb8d6df03a993c804a9fb7f14ba38e6cfdd8c32dd9e

SHA512
b170729da8f4df7c47e82fc2a81703319e0be962154ed0d96e53bbae2b95bbb238e297db081930674769deb55e88dcd26097b0579c5b8ac1d3fdbacf26402901

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
be35fc8ddccbe8cddb7ad2d4d55f8e4e

SHA1
06f979a1b72e8a5be6f17b769d4cc86a38e2cae8

SHA256
f3fad51c3c8446474724b3b57915457aaddf86f5e76689b35ceb67483ef2171e

SHA512
165f53fd8c0f226bebecf5da96b1c79c5b75687c2dad6ee55c62a796ea61b4a7596f1a1818c2847d92839be3de56740b35acfd862ad0657a2bb63be67e049ec4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c7f32b4b655e034d94de5b2c5c3c3152

SHA1
a63ec60323c429aca31d4db3f2eeb6ca1a641e43

SHA256
583f39627dfa91fd345b9cc088b5a2ccefb553628f0fb0d319a4588c6559235e

SHA512
9e9db1090f64c5cb7b1d41470487f330174f759bbb2155b2fc9c96bf609c7ebfd8f382aac06dc2b151c18049ac4c32c5f92d0c6bcffebf01e42c8b4e3c77f5e3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5aa3dd6c3e3bc8bf09ed3baf956845c9

SHA1
7cbc992cf5ef4e0c571903eaaae351ef6847d76d

SHA256
6248605763c548ecf7a684c10641e9aacc0981e9157fcb3f0aee37d58254a4e3

SHA512
441636bd1e142a8a7c457a730734e1d4cdb825f8d18df368b04b021e23b9464dace7a2102a9bdb9441971513e99d2b3cd7e8a102eaa3dbf78d83a0e999b25ccc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c42deba927503bb4b39bf6177ec8a97f

SHA1
933fe939048fc039c0dc4ed22a0f4a0c7d6f8962

SHA256
19fe15701989e2bceea7da301c6f8baa837686b320858728725c67cc10c709e6

SHA512
5bf53316c7b50d4f7208e2c45e2d1643b0871bd0789ff13ff8b5e46203a5790869e6811d3fb029684689cf70d15ab7167e2f5d877fa57254fb0febbbe9b07f79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0063ad9577691f5863316b17aba996df

SHA1
e4b5b5040e79744732ab9c690142d85cef0ada68

SHA256
d71d7d3ab672837f237951ce84f97435786cbdde6d3c2379c5756c9491c843f0

SHA512
1946be4858b57f2de32958685a340f70aa5dda77f3626ed3369103d2ac64d1b3707c189b0374a4b4f2694c1ad735a900a5ef02c7d7202a5460d7432d4cb9d364

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb3382377cf09fe8a95e67b5f0b856c6

SHA1
b59343a358f623d764c2824977a279f6d9969699

SHA256
78a2827d811a015bb04b1d0824bfb5e32d18e1050d14f493a104801c80bd7e13

SHA512
bdcc356212f4f3ca9e479f2b71f761a990abafa4cf3e5e04fc5da749e63ebf29ee82d548ceab3c039699d9bc4754749bd1c73f50178284213101c612ac34c08e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
124281ba55904932391a346e78e37966

SHA1
9360c185c704f07076d442cd8cae877c4b923ca9

SHA256
70173880e60203ea5d8ba117e4f003f033cfffa2a1d4bc49fdaad143810e9cf8

SHA512
2c3019549fb1bf2c54c8258ebaee46758f1b458958534aa33b6dfe68d39500824b8a855575d467b70235e3abdc4cef9ac33733768c2ee9ce1cf01fea901f18df

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1d0b075b46051725f529761f39e7eaa5

SHA1
cea8b5f998729680bff1648f1fbacba223fb42d6

SHA256
a222a0d3185c78ff64680dcdf7e01e2f9ecc6a67d3671b70adb0ee48ca9e80e5

SHA512
5f25c57d59d58850ca02f5956a0c56419ea63869417cb9ecc6d4836025b8808a6397914aa06c05ace639891439463c5cdb5c2ceb41843214b18cd7268e3f7093

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
54d3bc35fe4d22d270d5945055bb3b73

SHA1
ec66f4258c254ca0947415464aa39a8b8e946993

SHA256
d30a7a9fbfb7d833c944c60244dc023c84e42449fd50241548d0f5e6cbbc65c4

SHA512
bf1831886cf66746ca1ff374e0d31fe91cd560ebc9a9df2957a7deefb53e496d4355e3da884c2943d437c383850123118b94dc46fab9519ae5252aeafc04c44f

Download Submit
memory/832-357-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/960-366-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1300-89-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1300-101-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1400-349-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1400-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1400-46-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1424-693-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1424-374-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2032-359-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2164-370-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2340-368-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2364-66-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2364-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2364-351-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2364-461-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2544-355-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3180-371-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3312-38-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3312-0-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3312-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3312-6-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3312-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3440-361-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3528-360-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3528-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3852-613-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3852-11-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/3852-20-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/3852-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4008-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4252-372-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-352-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4648-356-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4656-692-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4656-373-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4820-350-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4820-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4820-691-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4820-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4840-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4896-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-56-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4896-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4896-75-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/5116-658-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5116-31-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5116-32-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5116-23-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/5200-562-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5200-706-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5800-589-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5800-523-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5956-527-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5956-705-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6092-575-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6092-550-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download