ef968bde544a2b301ea1723bf2cd685de56cf16a5cd532edac95419cf74ad4bb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
Size

5.5MB
MD5

ddde4b9cf6d316d8c6f9d8515af37f6c
SHA1

9da773f4565a45facb83f76c3040ca6da3b6632f
SHA256

ef968bde544a2b301ea1723bf2cd685de56cf16a5cd532edac95419cf74ad4bb
SHA512

c97bc5191fa790c496296678c951c4556a0db4b9aa857b19d579c4a7f720a39241a6ab60c51d62152898546029e3a3458832f5ea578159804f0aae679e13c18e
SSDEEP

49152:qEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfZ:AAI5pAdVJn9tbnR1VgBVmrnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2876	alg.exe
680	DiagnosticsHub.StandardCollector.Service.exe
3640	fxssvc.exe
4784	elevation_service.exe
3388	elevation_service.exe
2552	maintenanceservice.exe
5024	msdtc.exe
4520	OSE.EXE
4400	PerceptionSimulationService.exe
976	perfhost.exe
2096	locator.exe
3176	SensorDataService.exe
1252	snmptrap.exe
5392	spectrum.exe
4732	ssh-agent.exe
3700	TieringEngineService.exe
4248	AgentService.exe
2188	vds.exe
5512	vssvc.exe
2480	wbengine.exe
3192	WmiApSrv.exe
6096	SearchIndexer.exe
1952	chrmstp.exe
2672	chrmstp.exe
404	chrmstp.exe
3652	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b85be0fbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1d038430eaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019963d430eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000870d15430eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003af215420eaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000755237420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610515066010181"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000793e43420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b4bf1420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a060a420eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbd3fa420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e8d51420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dab61a420eaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004010d7420eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1580	chrome.exe
1580	chrome.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
1580	chrome.exe
1580	chrome.exe
3452	chrome.exe
3452	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4600	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
Token: SeTakeOwnershipPrivilege	4652	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
Token: SeAuditPrivilege	3640	fxssvc.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeRestorePrivilege	3700	TieringEngineService.exe
Token: SeManageVolumePrivilege	3700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4248	AgentService.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeBackupPrivilege	5512	vssvc.exe
Token: SeRestorePrivilege	5512	vssvc.exe
Token: SeAuditPrivilege	5512	vssvc.exe
Token: SeBackupPrivilege	2480	wbengine.exe
Token: SeRestorePrivilege	2480	wbengine.exe
Token: SeSecurityPrivilege	2480	wbengine.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: 33	6096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6096	SearchIndexer.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
404	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4652	4600	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe	82
PID 4600 wrote to memory of 4652	4600	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe	82
PID 4600 wrote to memory of 1580	4600	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe	83
PID 4600 wrote to memory of 1580	4600	2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe	83
PID 1580 wrote to memory of 1676	1580	chrome.exe	84
PID 1580 wrote to memory of 1676	1580	chrome.exe	84
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 2880	1580	chrome.exe	98
PID 1580 wrote to memory of 1652	1580	chrome.exe	99
PID 1580 wrote to memory of 1652	1580	chrome.exe	99
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100
PID 1580 wrote to memory of 5004	1580	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_ddde4b9cf6d316d8c6f9d8515af37f6c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a06bab58,0x7ff9a06bab68,0x7ff9a06bab78
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:2
    3⤵
    PID:2880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:1
    3⤵
    PID:3464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1952
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2672
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:404
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:7080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:7088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:8
    3⤵
    PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 --field-trial-handle=1936,i,2622678276148265921,12176053229113624683,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
51addfa20975fc964cd3ac45fa231d26

SHA1
a7b655daa06f989fda855050bcee01c658318c65

SHA256
db2ab673e20b834d93aab6f25e559373d846d0a6a826ef79dc01cb73d65aa570

SHA512
4be205cd035fd78962be0acd39f274eff77d83def3ab6fa33e79d8e4b7b143f261226842673997f390bcde0c5764454efbb1e189fd99c98a785399c132494cff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6441bc47b0855bf40febdfd1ce77861d

SHA1
b24881164edcab2f81e82eb8efd3d56d9ae7c69b

SHA256
c65eb1798382eb13af9d59c2a2ebe3eeb3572fb46310ab0fcb6eabaf39d7e021

SHA512
5087ec11f73f6bbded9ca27eeb0b561aeba0acf2e7c2835521fc37a6a8dab501e376a5a5ae6086cfc2883481d899bc96619ba775c726470bcaefb07913d13773

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0d3243913916330441d445889f261429

SHA1
ee28fb569417331da6ca9451531ba33f174c5f8d

SHA256
1e36ee6f710eb82067cd97eaa7bd517b89b4a83df8b78fd5d7ed74d31abbcb98

SHA512
e800b108bc31ac594aeba2b652c5f385edc3bd425bad335ca9fe6589a0ba5941e12b58c5a2d27678a57c709f806c53dfd783f84d4990884cdbe999cfe7296ebd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4a692668fd9c8e523a97e5687d4ce8dc

SHA1
4454187381693829caa3e4c5c3e6e521ba94dcea

SHA256
fcd2083c435564074811619b1b8376eff6a28f11ac19d454981eda6d1dd4762d

SHA512
f4461fa425f4ba485158de81944200f579125ee6adfd8b262677d2f62a44f2f7618350f3bb643ff5a2bac9eec8242286a11839760a1c802deed1754731e33e78

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
60fbf435f0a2c2f138c72c1ba0bcfe46

SHA1
f8e58f225af6ab53e08de8b85bb91faa881c5043

SHA256
06b9bb3403ae835056565ae4f6393138c5fbefb7656fd879bf2c75b63b5e56d4

SHA512
78c27ef73e150fe1badf5f30d3960e9ff16bf819c23a0e7ed2528d69d5a60d4f6cc08fd32c3c35041ec836116a6b249085250c42127c1f555e64c82c5cec731f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d45525fe3558bea8dac34a85cf6ed9b9

SHA1
616663ed8d980fbc74877eaf3164ed12126653dd

SHA256
3e82c55e903f67ec835c80b5c648b8c8da402f95983d263c02217dba7fe18165

SHA512
e31faad43e841298f9b8db4aa5b1e21c640270c0240f039730e6a901da03053b6a693a768e8659eacce4d394bb0c25d460c79ebca37f941c2c4788f10ebabb16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e0b53db99af85330d64385587e761888

SHA1
e240f6725342373b05366941fe4ea22c973addb8

SHA256
ac13caaa83ec8ce960e70289a474c880e8da44ea707ba55c8dcdfb3077c757da

SHA512
18f155d7fdbc326f93411185209e38537d5fc2b3ab1885ebd1137cd5ca8f0d3005440cf1ae2eeb45c9569c7f773ee7ac8232fbb4bcb84af1143a696c3cacbb39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
22dd531f75a58b41143c2206ca5ba534

SHA1
3b44aa0461b39faddf750376d86ed5aa3d9e7c34

SHA256
861760a7aa1e03a8d319e9b8b7e39f4ead12975a74d7bfa11ea76edf153d9e46

SHA512
b0f56a4936b9ade893484e1a0a0d1f78ea105f712b6ab80d74c9d2fd4ac34756e38e0fc59f4b9ee3ac346be205ecdf6f2719eac705f9a223b0a4c675edcdc572

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
47beaead964b62c3e9d8addd7fe9c85e

SHA1
b41c4fa90bbde8daa91bd75014baf5751438719a

SHA256
627fa32016c6c28f225da65c010bd72cd389abdab8f1c8ab58c96560ec145c51

SHA512
ccdcf7aafc2ece00bdfc4375dbd73ce4d7a2c31fc4aade3ae0ebc4dd6a878144480fd468217c47d3bac609373a047a7983971973e7afb48c1d790127f2365750

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c79c580a728f36286fe4393be7ced086

SHA1
60a974623dafce14373c8e9b7866a1a08a733460

SHA256
55efab393eaddfd9bf954296840498bc0d1bb6a82f5c2d8679d2db51e3f43fe3

SHA512
4f25b1fe5d348306b96d202c68bdf0e0f261db82ef10f1c42336f23aadfb95f03a28ee4a62630a4604aa0d7d90875dbd4a99e9b7f6dc4a69b0f2b64be570f8b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a736723a19a6848f52e290fcec2a38df

SHA1
a4596ce6d28f681507ac4424d445f71615feef6a

SHA256
7798062e1fd561065844642236a024598f9582608aeb9e8e0bff258425eb1112

SHA512
dfea5dbb7658c7494ddef997ca18dc89123ae35f89eba292ea7a73c2812a82741e10a5652b1ad872eb6ce2829edfdb65f03c0c74c1badb732fd1226373dfde9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c6a92513bf0398e2eec27928a3c3c0bd

SHA1
fd204d5f0b7046c60e79bdd66768ad63d8625016

SHA256
8401f0afe9c32b7f5459635dbf311cf8f99ed48c6bd2535063da34e93dfcdb4d

SHA512
e9f137b603f9466bc1c5d0b9a603ab013b561b2c218563dfc8a18855b7aff4b2bcead49716b6fa80580726b928076827168fcc5d6ed5a3b47676c13ae36d314a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c74f5e18-6ed0-4302-8318-35d69f834f1b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a1e0a4e292a7366446c473bc2672863c

SHA1
eb2f235ddd08d81cf157ec5395f11c562788bdd1

SHA256
335b661fca27178cd288d83576d1833b6619d5be4912da8e2dfc4e34bfc0e9e0

SHA512
e6e168b8f1047b1bfc0b83b6c0fd2b8f45449c0fcfeccbdfadfb49c71e0ba474a6735ed1ed72f2a999e1c36ee6741966cdd62f949b1b9a5af48f87ba0140eed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6758e910c1d728c95ce26c140c383aa3

SHA1
6d15cca6850de60e6d60570837ccc8b447b37a0e

SHA256
9ae5b89bff6623b90df27e97414258d115dea3db8845d15ba6592681cff75c54

SHA512
6aa5ee1ad6f626880154c14a23377420b9e6c48516855ce33cecf187847bd0300e2c1baa0db4a9c1f0b411c1e97b35d008c270a27badcf3290ac379af861ab34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bd5a1dae01acac5074dd30f391bfe545

SHA1
ce755a2efb3fbe8d483b663d369b2f0a3fb3aa6a

SHA256
7fefee111c3a5059e1554581454b84b91825f8120c4d3f9a55ed4d6086272ced

SHA512
5b51af284b8d2106bd4d5b38cefeb2087c4670d0bfdf2b7b1406949ef1b169647cbc7aefc6a3205873a39b26750360b018c8777fbedaf442095857053812f518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
71276dc2315ed08bdb24360452e051fc

SHA1
7f6a6597135c7add24749c10a0cdb411d5022310

SHA256
7f479554a7c32e6188e852336584b4908c2b542b5470249901939f2eaff088ad

SHA512
76465f5424d93d0bf3fe710f87355653e4e01ee78b086ea8d7ca58d34616be04386d44ffcf18c60d44b9873822a3f3f59d7d95e979ce88aef9ce204184b27a92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576225.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2a03acd4193c160baeeb26d51649a1a0

SHA1
0e1e269c8e69a7ede67c75716afc28fb68a117cc

SHA256
7a40f0d2869414cbbf6cc3e1146ac01f3368741a7cc46b14c4e7c7b3356df95f

SHA512
1bc565cc1df8f063c55af840c7dc0f64d2b561f03cb6d3699c13d0701cc82cedcfbaa6a21c2c9cb9970a8937abebc797f3a839b31d718f8b3a0add18c4231c2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
ebd1888230659103e664793c25619611

SHA1
02011ea7b2898acf8484d222a45381e207334666

SHA256
d06d93a2fd0a12ddbca047c735c97433d1408bd0b9b4b834350d4b948fbe4b18

SHA512
f9ac05c9f6d5c262c5c777cc2059ed77fcec41db36195cfb9ddff42f2007f816b686a7be552588ebd5c9a4065fd872899dcb232ccbfdb8a586476ff609dead22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
487be77f2a84c0b86e3067cac0f548be

SHA1
37f9e13e54b5b2b5ff978c6728bd4474dd81a21b

SHA256
665e548c8f8ff5ac6a3aeb83a1a53d3fb74cf11280b72e6e12f7d5a3aa240086

SHA512
17c7cc2eada8038b29f53d6655bd1a60485d3a716cd703fa776ae9bc59c159637ef9598efda3d86e3bed5bc9b82e60ebf4a6782d1177bd5fa71b093dedecb569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
283KB

MD5
6cf9408197b77a90344b0dafe1837a58

SHA1
90f169f5dd1a38697a031d055ff857497d27a7bb

SHA256
2d26a64cfbc79880415a70f97f27b00f1d38034f23da70bae77ef91ba0d6cf0c

SHA512
9f5cd94d7c033fc5bc02d7638a075174c8fe16d9b8cf6347af2f1e288e28b367e023469299a8a79d0fa91e6287af765a15cde22d15e9b10c083c6af829fee5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
04694df7418d85032c717919bf2e9ad0

SHA1
e0432dd45f01467d4156c376af19827f32c85384

SHA256
6d4cb25c359a937aa11dc4f1e1d0d7d29785fd5e3d19c33e3e5cd2b9e4116c6a

SHA512
658e87240ea74423562d24991d23e187984431f625c80da8f70117ea5ad867046313cb982f4e32240a1a48cc7838ef824e99d940970992ed2b5e8019ce2fd5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
10d13fbc1ea2699af16b14791975a7f6

SHA1
fc5486be86d9b152a5542a2d5245f556bfb906ac

SHA256
04247e9fe4b171f35661a23ef2e1445c0d1ddef5ca6d8ad1bda70e2a886a36ca

SHA512
3faeb631bd03ecbf7ba9858bd89e838530a9f426007a7bd017525cedbd75fdb87805f6b71a55afd58f2b3522bce6b1c277807cce79ae5df6ac5ecaa10f00c29b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d764.TMP

Filesize
88KB

MD5
48e14d20eb51f07e78836f31705648b4

SHA1
7052ac4df5c9ffc818d179921f9f89b2f4271369

SHA256
ee83be67c0dbfbd7ccd95a1f9199b89c08be1ae3e068642039b7080a62909201

SHA512
4dbe1894fb2c76088f79a4efa61be2de58093ef80ebc2ca381e3a341fb8e990c729e6925fe5619c3fe09e3e5e45fe945412214211578086e3db348c7bf5edd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
7d5feb650aecdc715ef6ecb99ee2c7fa

SHA1
ad19af6b463d128ba03e79c9868f5c9522ff17ab

SHA256
ec0591f0e1579c3547c9034dbb1e8f6f4512d0dbe05230f7cf7b100c93cee061

SHA512
b014eddf872f4d53c2e29d36a544ef241be1a2d10f91f7939ccdff80ad93026d50151b76ae6675e5f963c97fd452f5955975ef0aacbef3c99d8adf2289b5139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
fcf915bcd704e0474dc90fbc83cee45d

SHA1
84a27b37d8f84adf5c0d732e92fcbb004f3e0a3b

SHA256
d55af656e22907ed8f2a5da59769f52cfbaf4f97f13114e89c312a6a1d34a964

SHA512
8676c0ec38fea23afb3b8cb30fb12b0739e61622006e1ab7414c6bf1dfe3690ec6af69d785cedbaf929c7c0f5e1af3bd7682596d30dc9e727154506051fe5208

Download Submit
C:\Users\Admin\AppData\Roaming\9b85be0fbb5459c0.bin

Filesize
12KB

MD5
0390416141e9b9c17f441b4e313aeafd

SHA1
3b080c67cb16782e8cf7cf48763ac7e67dfe411a

SHA256
6189ed43b1d749c74f0c3283f0d8983282a4c703c7d8f7975ec68f36343fb96a

SHA512
0bb5b3cfac823f32e0f68497aaea3d8cc6f615ac12c2981c064e5e0bd696194903f30b5591b636bd3c75fb5e7692928ed4b26b3215b72ea4b641b994e720a15c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0200c4d6a85c6d8ae26cc46fbf3d80f2

SHA1
1ddd1f606d33b03f19ff1eff0614febaeafa9527

SHA256
df02c5939d046debd5350ca02af7ec81a460efe0e101499a2efa70683e960487

SHA512
a6aa8f3668f46a4d6b661ec9af14343c337da9b8b3a78ea15b25a5ab927723b9812cf96d59f9c64fb173d49fe739563b528aa92289d85ee86b1eeb413c9a20e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1a47592d1b64fabd94533adad3a11fce

SHA1
12d21271a11dc1b2e508e400b3a675ceb703e00d

SHA256
028ec84db2df291dfd611c091a62a8d4e85eb17a7c32d50c0dd0b51294985f9b

SHA512
c766e95fe46c9517a73191892a3bc7a9f154f6b372efbc3025264d42dbcc15b0a6c16f28a457c7b3d42d8667a8dc55cdd0317c6222ab8f0d62396a1b6da5848f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
623fc8e0be8f55a3858ef3fe5246dad6

SHA1
6fbb4aad07db156a0634e24affffa547173becb5

SHA256
8b7ff3af45a11a9533a40fdc6c09439eb1af469e065484641eec48e1d5aa35e7

SHA512
a0ca340bee0e9cf803c33a810e60085430b7e09e77c60fc79c593f936953272e1d3673df4917a3bd6192e8abc675ee184c6090d770cb346af6ace36ed73d5e08

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a1b31398c9e3a6616f1326788b8c173c

SHA1
c97f54e8d529c281a83dcea88dae4a9ef8f2937b

SHA256
a64edd1842031e8ab38fcb195eb7c791012b831fbfcd924268cc93fb81a59b65

SHA512
95f4f050e60de4d96d81c5cdfef8097fc145fd2ac6ee0da56e54bbc603f31ad218bac9b734455292cab8ca7a8dea2606c6d721fc88a3f04dd6829997077f2867

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3b5bed1757053db55b0499d751614a32

SHA1
7115aa59740ad40a23df0cf749ac6d4382d6a454

SHA256
e7b21685614f108dea11204aef8366d98301034f59c06c3c6b0e5c85d523b7b8

SHA512
d9a7b419f88f60d0e459449097d6dbec7ba850364051cab18895fc1db13934644893fd3c957cef6437c65154535ba721ca711a41f05839a2b9c0e9e20066265c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fdb05ca5e5af5641d99d3d7f4cfb3a3f

SHA1
878cc81649d73d7ffc3bda0f4cb9f0a166513438

SHA256
d70fc0876a714d0ede2b1bb82d4f0f894d557941da2d982eac0d73b26def93c6

SHA512
4b408aec3fbf2eebcb316958e933fc5fd1670b157b705d0f25128dff2f4200bb8684fc623d273aec6e5eb253eed255d79702ade7904c91e33ffd933de1c7b0c6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
195d3191e110f2eb2fdd59f9770d5eb4

SHA1
0fecd12bb1c73833ec49aa1e67aa8b8ea40ec691

SHA256
a8c83b7b8a269fab8e30f74009e5086d08f232847221bb2eda73b8bb3922af6f

SHA512
9248ca54e3ec337a61b8ec870343025e557b38d4afc361c508df3a24f9d08fa68e22bb6ec0d85eeec7476912001c2c5bf41e7e6d96958f122489cd0ae4e0c2ab

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
13d045f8d5f5d5b9c86a04e7f04f22f8

SHA1
fc7e6ea3e69d70ef09a0e2c75866d50064f91216

SHA256
63d6744be64a580ae2882dd3e50dff9b82bc4df063085f592aad355fc7fdad5d

SHA512
e43e11224804bac0faf2d52e7b3a7e74f350362e592054658e3cb90e9077aa7ae5a22659e778dd4f59f59017cc8f8d3f6eb868c233d93c7b6b23ad05da4c8689

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f564a8393bf33a3ab4eb0faad07cd648

SHA1
b7805ef77569ab340219ab10ffe55a7827ef81e5

SHA256
4806f096833981c1b1a61920b3aa2b253fa45f79ec99ca8e3408140967e9f2b9

SHA512
52a334619280b3b7ba83fcf6a97912e0ad245948439d6328a5dff071328f8f4789b3b76b4258be27a5398485efc5a29eec81cc2f800c8bb0f376e1a8693706b8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1a5d1fac9a176770bd3c4f3da3ae3836

SHA1
92a946b7ba1910e5f219e5cf836897e486b40083

SHA256
1ccf9625824912cae26fb36cfab529aad0ff931f769d4cbb27582cca16b086fb

SHA512
48f2310690018786d85a4f59a1b17dd1413eb5bcc4bedf7cb6d2aebec8ba3b2470d76ae2425d58810cfcb8a8d4850e8b3c19e08c4359633e32bb90586b828ef0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d2e4f48d118b066256b84e9360d92a0c

SHA1
bc643cc23097da87c9e9a8616568e727350c398c

SHA256
dbc45fd9dddda465c72509624d784cb197f98d38eacd9dd5e688ab01e9e66469

SHA512
c8c89d8876c11b9b570919cad12c870d6bd98d6bc418ecc145b08ed423d908c9a6fe49ef3359676b4435d6ab2c8a075c0285cda240599fd4d412ae58016ef18f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1db86767345af42ebe2757b69c74a015

SHA1
949e749c679a387642510f19772ae06aa7bda667

SHA256
2cc02033c18db02b15abc3331841ed6d0713660fbabb123fd75c2749e7f8de86

SHA512
0cf5c24c0b0edf4e3af95f9e6b97e2df1ab0846633d81fd4baa0dc1fa93a11d86f9a665c20546a81c2c51711d5d93de07937f87fedd9dcf9fd9d2f83d7867d8c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ae84698dd2b4dfa0a3d8ea6dfae8616a

SHA1
b7d591b25ae7feaad523c698d17e86bf071722a0

SHA256
7f1511b5f6383f9e35a45b7e9eb57548c1f1dbff94abfd03b0d78adfcebbfb4e

SHA512
5085a999e9c0bd48a8e8dee42e9c5816e8b14f76946b2babdd84d8af79ae83d6c0e308be231bbc0293d9849ab7c533f332155afa04ee20e22bef86e9e7b36836

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
99ac35f7a972e4c196f7e304d0d3b083

SHA1
455f97aaa8b9e3d06dd28011b841c9004a641a39

SHA256
5effe764d15da75c2c98fbe152f9beff5e34a8e59b9acbc859089959fc5aa656

SHA512
d7c0abf4c780b44d7dbc9001577b1822eedc824c25f6f13219f7fef91151b63c505398a268dc3b3c1e16576f3b2f1026f980530d8fbcd88c11d4edaf89f785f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cee28fb53112403aac5c4840a3d1a221

SHA1
8eae8a0df0be1fa0d4890f4aedabcf3898f6053a

SHA256
2839a89dc30c712323cafb958f219bf31805fb864e7eab9fe4941b0af262995b

SHA512
78769dcabd050a29662005b60eb5f48769b3deae8485eddbbf4dd2c30d0e482f17a86ba2bcb24da0e8884200c5dd91acad9c888a63b459dc849d8e02e46ec248

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bdb33e3bd0df0815430ddfaaae8bab8f

SHA1
c48426f23326f805a78b12a285753d45819d3631

SHA256
bff9a9b51a91db8399bba3c8aa949f655f80a3ba2acc5d262898e6f1583155bc

SHA512
193568c251c4917bca078218f367063d7b5b688d8e9de6b94e7c8bb16fd0b5403a027c7c4d15862d58e3589e0307568d8b9282b0b009cd85e3082019c5a48169

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6836d284ab6cee6f6a5a59bb5727bc9c

SHA1
e7cb95c7f2caca776ff36a187688dd42f256d1a4

SHA256
8584de6d5297d6c1b3390d30c59663543eeaa02bb7f6f4ce9b3c311ceaf2323d

SHA512
94710f49548f265cdd548ec1ec38546783b16d0979b68fe0ea0bb3b6be452b3c2bb29f744a9d5dc639bffd67287a38eabd1088171048b50a25033cd0e1bbbc77

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7d3b2a1d80402fa792ba4e1d0820b7e9

SHA1
cd4b58b9ebd0f6479390a41a0ce24e12f970ca21

SHA256
4681d52edf4fc2dc179c520014579739914ec566003e5b325e730e06a91a0e4c

SHA512
707450db4ec3d4f1d8bff97a55155a68c376bbffec0d56432e9ebf34c7ce1231efc2a984bdf0824adb77b5bad161dde2aa2b732b31d66a0b0c3994066c0443f7

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c006471298e440a8122e2cb4b623bda7

SHA1
bde6b7927bc65729d25b2d130be8a12499617e2b

SHA256
2b974a1480c07eef0c506e80b35b6553187d62c27c9457fc4dba7798c133fb7b

SHA512
6829122586179713874e6de4a3fc4e3ab42d424624508a2323917a0545a4b4a09b2abb67e15dfe04b5c58202f216bb36d753edcf6629d5ae66025726dd2aa76a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
ef0381e2ac3eaa2c05a2d2fa80bdbf4f

SHA1
6c5bb899424df88ef7e37243bcbe500d76c6aa93

SHA256
f6dd984d2da43d0fc3c67db70d2006a556636bcf276e677d6a8daf268b97a76b

SHA512
91d7b759ea9669bc1544023d86d9f5d94e9468e0855c827bdba11f1266f4366f7aa5c4309e4a3b946fd56bfcc1af53ec9498b0df031682eb050cd56a29c8acf8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
85e6c94ecff6f13fa46d5c5c95e23e0b

SHA1
325097ba018ef16f97a11c71bd552e346ea33924

SHA256
47af7f9c5bf697e2cbf265e90a56943dc702da3401576c0f26bfa9083ba9fd1b

SHA512
f100ce0c22c318cf764a18bb29fe20dd972e8d0e9c220c6dfb232c5de0e4953970db6688d9dde65058aec28dfe0e26046cfa8b55cde7bdf43f0ef4cf5b21ccc9

Download Submit
memory/404-598-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/404-556-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/680-53-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/680-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/680-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/976-164-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/976-279-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1252-507-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1252-208-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1952-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1952-609-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2096-178-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2188-646-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2188-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2480-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2480-657-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2552-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2552-107-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2552-102-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2672-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2672-745-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2876-28-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2876-180-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2876-36-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2876-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3176-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-622-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3192-658-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3192-312-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3388-92-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3388-249-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3388-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3388-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3640-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3640-63-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3640-57-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3640-78-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3640-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3652-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3652-751-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3700-564-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3700-250-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4248-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-153-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4520-278-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4520-129-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4600-22-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4600-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4600-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4600-6-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4600-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4652-177-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4652-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4652-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4652-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4732-235-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4784-68-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4784-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4784-74-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4784-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4784-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5024-119-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5392-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5392-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5512-280-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5512-652-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6096-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6096-712-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download