13c88eb1100197a2db5ac09f33134f09e4ed9b3414d2ad33dd1bb41f9f63816a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
Size

5.4MB
MD5

5c5caa62947625786642442365ede125
SHA1

c19377c42c3a30f2506a058e1cd687cb7aa248db
SHA256

13c88eb1100197a2db5ac09f33134f09e4ed9b3414d2ad33dd1bb41f9f63816a
SHA512

70940ccd56b45bb7eb9c4a598a6df8c4e81faae5792765e09be8730640ea26823b659177f79e6c614ed8a35789140abb45a3994ef45d7895b45d19437fa4b26c
SSDEEP

49152:w0kwIi7c4xZlm5knEtw99Kn/2vim7vgv6m+yyJ/0gbvjy7yY7BHi3u7L/gBUUWL0:2wfhY7g/rLO7yYA3awr341gAD527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4380	alg.exe
3528	DiagnosticsHub.StandardCollector.Service.exe
4868	fxssvc.exe
4768	elevation_service.exe
2248	elevation_service.exe
4484	maintenanceservice.exe
828	msdtc.exe
2408	OSE.EXE
4908	PerceptionSimulationService.exe
4616	perfhost.exe
4776	locator.exe
1640	SensorDataService.exe
4292	snmptrap.exe
1584	spectrum.exe
4148	ssh-agent.exe
4872	TieringEngineService.exe
4524	AgentService.exe
720	vds.exe
516	vssvc.exe
1264	wbengine.exe
4536	WmiApSrv.exe
1180	SearchIndexer.exe
5884	chrmstp.exe
6004	chrmstp.exe
4432	chrmstp.exe
5188	chrmstp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\82f1ae814521e136.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e25439e6017db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053c5029e6017db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007974329e6017db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d9b399e6017db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e485649e6017db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f226249e6017db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b8b079e6017db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee12309e6017db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098a8c89e6017db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009459d99e6017db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
2060	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
5592	chrome.exe
5592	chrome.exe
5592	chrome.exe
5592	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1540	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	4868	fxssvc.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeRestorePrivilege	4872	TieringEngineService.exe
Token: SeManageVolumePrivilege	4872	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4524	AgentService.exe
Token: SeBackupPrivilege	516	vssvc.exe
Token: SeRestorePrivilege	516	vssvc.exe
Token: SeAuditPrivilege	516	vssvc.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeBackupPrivilege	1264	wbengine.exe
Token: SeRestorePrivilege	1264	wbengine.exe
Token: SeSecurityPrivilege	1264	wbengine.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: 33	1180	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1180	SearchIndexer.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4432	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2060	1540	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe	82
PID 1540 wrote to memory of 2060	1540	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe	82
PID 1540 wrote to memory of 4160	1540	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe	83
PID 1540 wrote to memory of 4160	1540	2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe	83
PID 4160 wrote to memory of 556	4160	chrome.exe	85
PID 4160 wrote to memory of 556	4160	chrome.exe	85
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 4788	4160	chrome.exe	92
PID 4160 wrote to memory of 2088	4160	chrome.exe	93
PID 4160 wrote to memory of 2088	4160	chrome.exe	93
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94
PID 4160 wrote to memory of 4520	4160	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c5caa62947625786642442365ede125_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2e4,0x2dc,0x2e8,0x2e0,0x2ec,0x14044ae48,0x14044ae58,0x14044ae68
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff92ff8cc40,0x7ff92ff8cc4c,0x7ff92ff8cc58
    3⤵
    PID:556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:4788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2472 /prefetch:3
    3⤵
    PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2580 /prefetch:8
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
    3⤵
    PID:752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4656 /prefetch:8
    3⤵
    PID:4236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
    3⤵
    PID:1740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4688 /prefetch:8
    3⤵
    PID:5660
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5884
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:6004
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4432
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4372 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=208 /prefetch:8
    3⤵
    - Modifies registry class
    PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4664,i,9415216804309667359,7738000558551105129,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4484

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1180
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4ce5fe8d984d242849e746988aad6c06

SHA1
2af1e6d965dbe9add1cdb8af64d43eaa1b651f2f

SHA256
1d102bb7b4c3079cf13dccb6cfb255dff3c00614203acb88976e9163ba0667f7

SHA512
e48f2653b162c611790042dd55a42a90145888fe38703648b5a151c44eaf7de9d84ff334bba12f885b3da3367f7e64035bdbe0323fc67c259dac1a1235419c00

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
1dfefe8f7e9517390a4a14c0fcdc4fd0

SHA1
9135ea20143a38ea803049ca7dc5281d10ab2358

SHA256
36616978e35ed4d0b939f1794b836d94f88412322cc4d4fab4cd141ec3dd967c

SHA512
0d0e3e477bbf721cf4e926e559da3dd1d53b800339b51f6f542b8f066c3c6a3699d4f333a86bc6c21f30731f55febc707bafaac971e4d7f975fe9e71c2d014ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
a92b7759cb09ac1354529bac40666bd2

SHA1
cdb8b9bddcb7ccb940716f69650575b75e37a5ba

SHA256
30b6fe861e2555e36d669411116ba2b91b96b9490d7fd6dee606e269f90fae06

SHA512
f9425184507a87611cd314af7445345b949413a3fce21fc0edbad390c289c11793911425072dcffcaf0524ffe0efc8405f4925d4f61aba5cf674b1a880ce601f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ed4f82b65923bf9bd4a3e2bccde26629

SHA1
31fe545de51c38048ffc9467f67d8f49187f75e5

SHA256
5c76fa72e88f2a9ef2779d1d4dd8a568cc14e36d39c7e99d9f1eef154fee9491

SHA512
1a962e55564dc95108d5d82ca6fe1474658fb5d763f93f9951582da47caf7c28f031f3c133f41ccfe386aa8473046d64b4b74e099d49d43aa60d4c34711e8858

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cf36e8d937d3e96afa01baebffb678de

SHA1
4b57af56a5fc14b5cac71c6422eb053e511259b7

SHA256
e0f21952614676394e2b7cfe56d28eb0c291184aeb75b174a296d4896700d232

SHA512
63e678c65030edb8d78ba54cff57a4be4233a1fcf06495e018759f308e4e5a4b7a908cf1fae936c6460d1400c8619e678df545bab73ce200f098b9bc485c4de6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
68f7dbb747a266889d88913b949eb188

SHA1
7dc52c57cf9a6ab8cbccb10070ddafd7d4b3d0e1

SHA256
00c60fc6035eb13f08bc1a19c6d14434824a5f86069a0c5ddc6c661c1019e0f8

SHA512
f17fbdf66eeee555dd27be14a2b35a22674edaf68ee8e7f535b538e5a98cc0ba9ca4456475f395803d583aab317a3a447f8f92d54ad410ee06dfbc9fa77d3797

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
186e10ea15600090bb45dd31106360c7

SHA1
ad02e7464dbeb1d9e6424dc9f147e97fc4124d42

SHA256
d72c95878c14342d91a959a5a578080c17a1b97ea075c2ea6ff55bdcbeabf40c

SHA512
31f46b4192514a8f92c48cf61ffe94751e26295970c9c9f1eb1b4e6be03dc0757b078a8d60259c1a57a99a51f9b2901b608a63326a8a8b64c6bb5fc453b55aa4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
722ce7f40eabdc82fc8cdcc7aa1803a8

SHA1
029205279c002080a948fb8565fb621457829e11

SHA256
8af7bf9b86b76896bb9186e6c17b1eb78e6121e228d5d7bf5a78999ac21f5801

SHA512
ef0ebc7fa2401ea7e39f9a661a19d4d2b3955bb0f5170c23af266fd8db5be167ac09f4cf652e65972767f7df1f40a9cefa3dce9f6bcfa444bd2948219269c73d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
ab4614bb7bf20955a6c3d34919386242

SHA1
f18dde1fe6d7e93b2cd84c158fc79434299c12c7

SHA256
67e54a66db633186f741c12ff3ec952c0a58ef8b4ba3600ed06ecfa756c87e5b

SHA512
d241dc1c0ce751c78d9b742ccf29a1aca7dd3b774ca5a98d5a7375cc3012ec7dfaf02cf5ebe977de68c205fc06eb16928f4688638a99986e0698f5e11bdb51ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a00ea8ae92a49080aabfe65e87c20500

SHA1
0f91412c5adf295b90987d40e178640fcd3d42dd

SHA256
1a284ab16f97dba6dc8afc3c5600600cf7200a1b41fef2da829b64cbb2d86b87

SHA512
7091824dcd6f71110f0cf2e8b80a03de418f2b3bbb11c1a2b3297a74ef29f0c1c79d071e262d33d0a3adf21ca6320626bd7d12e5e37a4164f3e3f649159125fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
82a35a3d90bbd081d952cfd69e6cb131

SHA1
22f6a8dbba9d392b53c42cea346bed16ea084b50

SHA256
4862597d3d5a5084a76a8f6fcf66e6a5a9b6b5da2f2b16453880ce4a9c237111

SHA512
709087fafcd969b0c37561a6c07dc1ed8823c67e147e0a41cc3b49349d7fdac1da5f3436d3f5a1f6f6002bb1d76ed3793e57ca5662b8fd772b65cfffbfbe4bfd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
469879b5a18ff92b666d0cf3957e82eb

SHA1
c9fef67275c3a2affac10cfef99bbe93d9d37d2f

SHA256
ad82ff82276e5aac160091d71a0088bdc0259fc9abc7adb2ed7e5fa3b6fe0ede

SHA512
f598d3b62780bab74f289dc86e8e87595b688e5cba2bb1e0e44bb0e8be383dec89ab2b9a5db550e9713f359c86e1382ba6b5d53c0b3163f850013180bfe8b727

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
1e6568c692054bc88a5f44174b7a8b06

SHA1
38bb10455fb2576dc726a80f7b5698842f1f0384

SHA256
ba17bf7acc05e16ea6209379f0c635b18a80db26e2e20844b3e288115b6e3945

SHA512
55fb1eac8514020731354193864620c031b50d97b24b2841b0c467a84f0656377519e1544b8b905b26fcdcf28120ecf0a07f1654b8faee6bf7c8f8aa900b9092

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
3a104901a385ca2ba3c432ebb547c878

SHA1
c6c20f916327f1e35a6071c8a70c9283aa793863

SHA256
10102a7cb6ea88bfdd86f92ad537cd2ab7d92452658e8df3b2da52a4a2c3ed82

SHA512
71ab9a72534f988748387efb6f30033cc76e0d613bf4fd83b75c159b6b791e5f3763bcc6a54e7844431e90abed28b9cd7f772fa6745e2a5919f0a466e0c9d110

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
ede030b01ceb4d265ee49b6b0f8f79b4

SHA1
f3e107335d3e9e1f15f7b6ad7a39daf37a8b8112

SHA256
e84c90f64895e081602c04af8f3a0a75b3161f22d91690178f4f02944c1dda6c

SHA512
e05082773fd3c1ea7950cbd7a16b72b3ac55e6bd1cf0c1d6295729b53745308f1f04c86711238172dbe729dd1408b8d4a66db1d0d68e1966f281fdd51ce82cfb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d3a3d648ba3fa7a8388772c3b432b00e

SHA1
95499f32c63b00920475de74c1d7e41b7f276224

SHA256
6001b70faf3a24e15132cabf565a16071e871f5f831246be56b8a783b001426c

SHA512
8ba9b210c87990163aa19631a9a91a22374df8a6cf52a3e908f5eaf254786ee5db99ddaa75b1c8731320d8edcbda4cb8d7fa6d43056eb7dbdbbc81afcef0be0f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2557f51a2e7d6ccff5198472d68bff20

SHA1
d125bb613135eb00f4f6f7ef8437bdc4373d47d0

SHA256
f8465844fb3acd9632fafdb14c2d23e2510f2f6248aa479e23fbefb5fb9d54eb

SHA512
4b10d4239543fb7962abf42cd9b6514225fc9252c9b64289f059f759a52cd4b693c2a8ce169a08773264a9eced1b6d6ef3ee0309e09ef73f46819a1b1c63767c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20241005195604.pma

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
da4fcec1d6f98af5f986af2979dfb52f

SHA1
d56063772762e20b54484db395eddaf57a1e9c26

SHA256
e3ed4bd20241bdc9646e0959c782b18eff90fa753e0937b0a831f7810dea0d12

SHA512
2816ebf3e67ee5482497ab99335c0bd2bdc647a4409c5409adc025e669112aa062dd8b15308d5ca7ef34db7717da047b633cacd03ac21fb964c3e700b96c44fb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7bddf556f7f4aec9eb3306b4d5d958c

SHA1
b5ab2241153a3bb5e41f852ca41a9fe2ba77155b

SHA256
70bc27effbd27ee0960bfed5b2c59d84ca0e979a1d8a2b2d3b0bd0f12e07147b

SHA512
bc2c5ea040588d0747271e8bbf573f4f915731ad2b510efb8c8bb320d429d434eab30b8c391d597895c94afa819cb932d1351523b650cdd5b6f1640d8cc77bad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8443833de2902fb02c86c846d732af84

SHA1
1ec619adbd182f18925bc38a333a548033d82c46

SHA256
973d5f5d1fef1a275b7a31bdf41d1d62181de8cd5796ca1be0a2f201633d3026

SHA512
0134bcec90cf79714fc69f3b4aa87f1e79d4be0fb2995c841f479c851ece54b7ea6f51f8878e9fab70425a1efbff089377406460bee893363467f6ad3c0cd9a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
603f639a01e05dd7a2d365b04a923a41

SHA1
555058b3941db0f95d8dee516ed73519b90469f4

SHA256
a598aa694fac3d7ed824456517b40527d32ee6bceb47854fc65c5103a2f0e925

SHA512
d45fe225c55984e53bbc5cf47130b63fd42bd09b31a89a8909bec9da475d86fd133204d38aef893c4cf001d9051759bc1359f194468a5a681f608b22ea61f481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8dc17853a6941fb3ac4029c779efce26

SHA1
b0bd7602be5eccca68f11e3e888c809a8c5898ae

SHA256
46e8140b9395c414fb9240b7eaf9fbcc9c372812eca2a9c016ec5b3a78376fe1

SHA512
2711b30a60739829af06dc4c12f6dce5d4a1274c4e6b249d1631538699cb687234a6407583f2100925c5d7638c8f7a286e2623a0a165b37a205e8d7c1bcb4268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ceb3ad31694f4c93dfa4607fe608af62

SHA1
30dfccb331b4920f0f3ba6972525f47b781cf4a6

SHA256
54c389f8fbb03c333a806afd5db3abcd3226ceb53b8cb9e5d7b4c1c8acae159c

SHA512
0cc9586a1cd4118e4a4f2bcb5b8053db0aaee7434925ee011335f0a221e9a5b9806e10767f0109dfa6ac15b8bb5fac8dedaaa65557eb4170f0eb513ae2d9f964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
d3d9aa2af2552181fd2b10984a70b342

SHA1
d25a0978b2f5af4217739538b8fb5529927d683c

SHA256
a111befff3a694dc303f508f89e88323199121363e7338e6cd41d9134e21f95a

SHA512
1f381ef61b4952f281ac4032e1a975b0ffe63b063b41c7a610345ecc9b6e09f0f4ad6f7c444fc4a9ae9e72e4f1cd63ebdc2571a2cfdf40e934419723ae788393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f87d567c7148545caf61921918ad6558

SHA1
9464ea404ad2a2d836504b025f4ddbdf1bb5904d

SHA256
70c51f3aed13faa9df3c4f2b833439b0dff817ce1f5be7e7062eabf86820741f

SHA512
133718290ffff6e86da2cdd4ab2b518a0bcf4762694053580882e6ee5fc9897986b6adce137c6147a55250ac210daf1b518157c5197557e538bcef0a4bc6d54e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7ee4fffad5fd79661cdb44399f6b8406

SHA1
0e96eaffef27a491d198944eea042e22f9b55f3f

SHA256
92a70fd64d9093a4f36767be6756cb60726984edcd05e941b7bc3eaea53952f0

SHA512
32d8383c72e3de2d10a578ae92bd059c1fbe7a933c311e43add30bb091b2b7d3a8c10dcf80fcb540bb44aa625730cb0f7bdf98d437d248d3479623ecb53f5770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
378bb3cea84693b4b318cfcc04b34d51

SHA1
c061f589ecff220a6cf07f34602bd988b00b0124

SHA256
9623b354b4b183fe9c53e2d515ecf32b1bed6b9a0597e067207f2764e5e65beb

SHA512
1675b6ab52258a02ea0cbf55d6012886ab3b81418167c1d00462552c2f8207fed237bec484e8dd8145b0eba42287b4b61daa2408de4d7a2d1b0e4fd913ce78aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
de2a5decb62c1cc0444c6247542f2359

SHA1
5880e9c4e1d4ec82b577f90ee0f78a07b538ad8d

SHA256
e434c542eee9d4fbbdaec1235a135f8443e2e92cfc28fed835483d21ef51092a

SHA512
398ae7a8c01ea9854ae83c7b0a4b25c01d98b1a1a21dfad35595a6b19829324f3493c7550d203b656cb4c439aa44723ff0098ce82bdd0ea55aeadd959ccbfc43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
96a4f45d5cc6d3390dabe8a06f141f79

SHA1
3adb410be33e847bbba152983e38c67fdcb51d05

SHA256
6997ba3b7676dbb3b61d52589be5ea51ef1ab82319eb2bae737dc67ab93ebc55

SHA512
5939f3c6853e7de4b4368b1f562ba202d4a3e13400fe798dd60821e9244fb3ac8965568d821b015688b6f31a8c1232802f180e0d01d31b0273650d6a8aeb02e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ebd3ecb06852f0c2e74a9ff10f1d07f4

SHA1
836f301ad7940ec5b890035cf2b35a5a882f5a60

SHA256
bf6cb3a0e4a1c51623f56b83c444b25e3aef2626a2f078a9e9987a8c69793e85

SHA512
c33350cf52c1845053bb6b23f4226bec4a9c933470e16a881245a40dfff051a4060e0e01649f4f2f1078a91a77d3c124a29fc3552d112013860a91f4e417e570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57d36d.TMP

Filesize
1KB

MD5
ff1dbe8cfa92dd34d9bf9119c785a6ee

SHA1
d818c31bd420325232e69ec64ad9c8f3331bfc96

SHA256
675798f0351377aedc7fc5c3b5c50515d97921d4b527785acfdc375885196431

SHA512
8a11baedd653bb52aa87db761b99c675f472e56e53c84ab2207f4f5261198c40a7d7fbab2baff10b2c5ddd3efbd49ced5a8b5b01fd7a003dc4e22b8c3162cc97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
65bd04823fc2e3c2136447b66d74f340

SHA1
4fd895fd91ac11cf13caa90857a6e326e0af8794

SHA256
9f9297cf09f0f0ced88624a071f63e4158c69f9a957efe6c1af22e8215b5758a

SHA512
73a0b120c17c6e11fd5af1c994ef57e492c4f22da05d129017db209d849879f9496c1f6f1bbef053e06aebcbc88dff23bad3ea8e4cd3d1be47607468173d9c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
be70029bdf0836c0ffc8f430ceae0a50

SHA1
3fdef13bf462ea770dfa450726206f138bf13a6c

SHA256
b82750a776c7ee6923b94b18098ce3687ce5dd02b6a0b674612647535d4f0211

SHA512
df03af27508563275e4bead05de2df394d18195b5b7da19317f98dc642be16bcb12154cde6bcd4d4acd8f88f7d1825c11be8555b3603c28d633ee514f57b697d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
40955a75c3bc15a019ca28fee14802ab

SHA1
384f43ed6f556db0c7c448b73d2312d84941c926

SHA256
b1669d112649bc38c42da9cc1a6fc15fd7cc55593eda6e5e5eeaa118ec08d93b

SHA512
68b9230c64ff1343021ae67f32221a3299df0b5c437ecf5f1f680bb2f17a0f63a53ea7960feae94529cdb8b09953b5e85a83ceaa930e5ea3fc6afbab1d81abfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
a99e19f46c09966102f61402dd3967f3

SHA1
c7e822d5597cf2f6de548493d3b02bcb3a432997

SHA256
367457419d360c03910ee590bb2ce5c2d49e6342f631ce996467753562d12236

SHA512
afd42e2eb98eacdee5728305c82392dfa46a1cda0c3d22f6faa8e683e3ea790f0555af7ffa037b5488b69a25c5369cee3590186360c3aa5333667f08bc78d021

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
23b8316806be1ab23bddbc3aaad5cc29

SHA1
64e29c628ad48d7c26ec8d14875363ad388af466

SHA256
1272aec1fa97491dbc0ff903a6b9207d3af35fc7b2e866a662c6e9b20977d11a

SHA512
38b480822a44ed95c2be1a542e0264fbc0faba0ff06dd92e1a3a2140d7ed60effbd4f205f6de29dbd769cdcbb449c17ccfc6ef86bc84d2b2be52eac443799a5f

Download Submit
C:\Users\Admin\AppData\Roaming\82f1ae814521e136.bin

Filesize
12KB

MD5
00ed921c48038892357350f2203d3683

SHA1
2727a4365a8b717f84f9cd7752078c06928a9aed

SHA256
fa4f344a30d3dc2dc361d7ae65a0529e20db77a3826bf9599bffa45cf40ada85

SHA512
67d9015ba92c8484b7aea0b8a769d8cd9c1f29b29559d0fb818902830ed67b8b59be262293a9a0b9a171664b640fa75b6176abb5438d8dfd906f9f1f4944a151

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
16ca14b98e76023209930b8ad868c258

SHA1
f7dd1ee3e0f7448c537b68a363a6af94d6383701

SHA256
dc90b390b165c76b5378781fd1a6023ce20790737df7953f2dc87944a0396d72

SHA512
b870cf47e84ae023b36f4982945bef9735d78aa2dd63fd398230c0da42e4903408ffc785bffa54a6b9f11086e3005f4c4f5e8fba3244ad8575c674f734a08836

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
afc57c7ce93fc302ce8df79fe4333a48

SHA1
1462bf2d4819015e1d087f7c31b4243690e2836b

SHA256
ddb11d181d166335a7e647bc631a6a4d7d01080de8564a727176f10862dcbc4e

SHA512
a59380a2e6d2749d6bafc5f75cd959bf2b79b9ab83536a011d6ef08b2ead2c8abe7344832baa11926ab4ca1ebe97d20369d609912013a59d94b181fc621d2488

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
62883e6fb33f71a5d02da31dd5afe2d6

SHA1
37f6536f10d28767b08b299dbb420b34218a1ad0

SHA256
93e9b8593a8c2efd5ed4e74375cc5da9e40f5de5e380d3447f0b7927c8bcc9d7

SHA512
0271409f1c879324e1961e4219365a3d1ab3ce2e60e35c1679faf74aa14dc529c8f959f44a73ddb2629d64c70c84adfd90a3eebe1f1d378c011330118f9e7622

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bfff87c50a121061425ff6fc94a2bcbb

SHA1
84d5e5384639142d98ee4ca4007c54be1dde2c7a

SHA256
6c1c82ed9d3be9387dd002f2e4c5e988ca6fe2c1fa109d6cadbdcfb27e4c072f

SHA512
6d9e2898656561b12f930e68cac9bd71256b7c0eda20a56295c58804e0ad5722d1cb6395f701d0f83a664e219b7889132a8fe3c42ab47d281b0d59277dc3710b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
e2815c56b4b81d72edad0fb8d974cc56

SHA1
64df868e06d8c51e2552e2f41c26af2f96e2138a

SHA256
3cb58735ab9a86c94564d705c042602692e75a5bce3962b6f657968c162d2b10

SHA512
a3f56fc6aebf92c4c20e3012d146a85d27e2378d03d4521fd9a3c14c70a1ff175de4f089bac3799bd152b938466d1c806641439e12fefcde96a677988e15ee05

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
4eb212836e1920f037170e70e597a443

SHA1
07ebfffffb5da13b54a0a960e7be12eeff811500

SHA256
de75215e10653247b1af27d668ad969df2702a9ff4869e70d798b3a02115e298

SHA512
37eab1a28a6f9d5029e8548bd3333fa47780c29882a4808aae44dd7bde2dabb7e74b6595e789587aadc9c06e7ccdf3e81997af6acf644b730a02d55b5f082850

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
17f042f36fe8e614e87d81bb49d536c3

SHA1
7a8fc59a1cd4ae1ae474626ce7c35208ea3264a7

SHA256
656402ceb74312bd982d95f78d91e03be854d75a260ce9bb66bfd4c59b76bb10

SHA512
270c5c14771c31e9d28eb1c1c17b6c81d8fc7802c018ed81a3621ff0f77a91c1e95fc29cf37f90556dc9596ecc0a57dc04904a217a1b048f93d5eedec09da034

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4e6532dbfe3137f3007fe27e5259242c

SHA1
9ba0fea5cf5006b9f0ec2b2c7873db7f11dc3f46

SHA256
3858375f32d31068d86abf6d1dc6885b46838add3373c32e764a96021074319e

SHA512
cf78582eb60ccfef9d1f456cbbb7874cd6993be4d5b9dcfc132b297b4eb5d7be439059625cdf8e538f2fc1b18711d8e1e8639356b72281e4953e511bd15d1778

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a59cf42bf88b4e2415ba8c1488c773d8

SHA1
3f380535b159c89a739526241343e5a90cccdf40

SHA256
45ba0c9a7883f2cea3b49431f051b8fbaf4deff6cfea3b053c14565263fecf05

SHA512
87eeb66f19612cca183d2ce2ef99f1137511c1aaa13a36eeb7c83bfe13087c22b5f6455328804e27f7dd3d90ddbfcc0fac7747bd9c6886081421d3b490deb22c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
94902a40eb7acbde3fe76eb2a4a1a4b4

SHA1
b036cb6d1ccf49fa87f37a2b97130a46461eacde

SHA256
7c2b1f2e35609d510421efd33ed60ab558fae1382d6eeb3fe430421a85c3bceb

SHA512
25353895b0fc4871e5dac10d320672ab28d1d7237ebbfeed978cbb00e27bf45953c5fd4b4468da07a32fe70a1c3da86649880778c6133d86b04bf5690437a3b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
3bc5fdd33b2d6c44eb7295c736e0cfc6

SHA1
75b7a475483f8023028ba0f539ae95335442550c

SHA256
67c96eb0956d64b9d1fcdea48c3f30eb932a039622879ca653088810abbdc8bc

SHA512
c477b11e4111c314cfba8d07fb2697ccdba55fb7ec6b015588152ea3f556b46dc9c987d6421d288361de33869848f4e53f670da2d11c7ae7c4413a7ec0b75fe6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0ef0fe399b98f26218b9e591890e207

SHA1
523d5b212c9d5d95fe9ac7df1b6ca8060910d0f5

SHA256
3836f98e5856cfc04805095b01aaf21f1babb31e735a5eb0f212ea22fd1cc421

SHA512
44ed015706f0b333ae2731440ba616f660a3d459a82e7244d2e30f41a60c9b17d468be14b27f773dffe78e0e89c595ed56fb71a314feac58a6a7283999ca06fa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3fae7fb301784bb6835f272a73eff924

SHA1
c003da568eb6fc82b1ad314aed1ede9c2974a909

SHA256
e96d8703541c1f7813213a139845d9b93db8ea7fdb501ab3d0f3761a339f6d40

SHA512
191d97ba97ac5b915db748a394a30889ff4d008a839c54d7a2bbfe27ebc33c1202731439b5694c47ed9fd1ae51fd57d214af7a32d309299143c55eb1c4959c58

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
36caf9ac305b9d53121256ca14c05f2a

SHA1
db3511a8e5552928a830ad2280097485497a357a

SHA256
ebfcfa5b23dcf4ca27de341d6fd6c34eec4aeb3453a1d7d4cb615f776bb09160

SHA512
4cd7e61d50bf17afe0693ce308d5e0e633466b7b4fbc80c10ff1936ed80962e204ef26f6f022923fa27f9ada5a19eb1f2f021ec71b1d609bc7a151516561313a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
a3bf7cd0f97bc5a3eea6088283f1d048

SHA1
5d9757263800e62a7ee737422093327222c78c9d

SHA256
fa224eb01bfc7264f570a23f76d9e054fd676192466fc15628ccdc9a8f0d4ada

SHA512
aed288a4babd845a9bb2d2d7786d41a9538b5243fd60c37be0a4b85df4d3feb2609b4ff2ef0c11f17789a2d11f77cfce5ba064094e835373642297b03e84a902

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7dd47cf9e0f9d99d808ea8a152796bde

SHA1
de16c4b88300e09b5a6d13e8a29c3f546cedff63

SHA256
5fa91a123bd5ef45ae2390b7b67274890e381f2485c8051b502be293c89e1fad

SHA512
1509bbfebd59702710438bc7751c85811d3bba543e6a3175be140630efbf9653d1b0e09e06f5825b393dfe6afccfe12c1af7bbeade6197b056b3467bce3dfa5e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1a144420eb1decf81db048151fe46221

SHA1
0baebccd561e83e39b3793b0a00db884be19dbb2

SHA256
654d84280a482e592486e7235b2ad23ca7ed1c68a3fee5c6e48e2a62a63c4e71

SHA512
72218d2fa6364243594150520136693380d3a728860e11cb8a832423e1d5c522b65a30fdb2f8f1d6ffe387c140e0bcb3acc1c30ec2e8b135782982f1da1c5574

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c9d9cac0cf78388cfb50c7316d072fb

SHA1
ce851bd4a69b9bb2eca93857da9fa618daf4baf4

SHA256
362469afec184b0d81f64e187836b063a64725018878336f1a19961b4d420918

SHA512
af3fae306172b232242eaffa043ab8f0f1941b9c467da570568613348af86b52d6a45ee9a07a0fae3f30ede44b8eb2c1282ff5c60ee1c2fd5d6b7b77a55ea994

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e6389ebc7878f5e670833c45050cc6da

SHA1
0c53abdaf0e50358ec94da0da09298b4c08cd14a

SHA256
7a3029783d8fff20663e2ecfc595a7368c8598b5897967b03da69d4e4181c6e6

SHA512
6563316ca4b38610b90b06ca4726e1097f439f7a7baa504514248887604fe5d68f8f40e331d39b00f3ab87207f8997229d8c2bbc0ff02e23cf45a2494ef9dc80

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
badfa62c394aa6fc12b0a03514809488

SHA1
540f09bd9454b9835984fd8c51cec3b24dc3a551

SHA256
0da1148ee7a4314cc3793014cce0465e2539582d85faf17689053c4c97a6a25d

SHA512
e62fc597b345acc46c4627886f23d85f5bf7df5bfa53a2dd2305d2f68773c79be9cb301f09f6cdcc6c8116a455c757929c0888c3499ccc9c01593d71fa2fd7aa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
1062594355ace8b98da818b1cf66bad0

SHA1
99756bc876d17d4b9efa2353084cc5d6659b3dd2

SHA256
7f041c80bae3081fd633e23897483f9298e353ab1890187af537df00d9cc0007

SHA512
16c4fac7105cc0fc5ca2d7918fd4537b26fd8fa4a8fee842ec396d83a0a98ae874d8ff7fe03243b2441cad09eeac3a60d2d8b3fd0b55d8f638a2e6cdaa00dc55

Download Submit
memory/516-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/516-286-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/720-582-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/720-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/828-258-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/828-115-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1180-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1180-323-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1264-298-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1264-627-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1540-39-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1540-22-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1540-9-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1540-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1540-8-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1584-206-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1584-491-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1640-698-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1640-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1640-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2060-12-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2060-21-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2060-18-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2060-102-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2248-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2248-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2248-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2248-92-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-273-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2408-127-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3528-177-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3528-51-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3528-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3528-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3528-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4148-514-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4148-244-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4292-193-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4292-428-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4380-155-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4380-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4380-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4380-34-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4432-589-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4432-532-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4484-104-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4484-94-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4484-109-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4524-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4524-259-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4536-310-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4536-630-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4616-163-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4616-297-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4768-69-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4768-77-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4768-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4768-75-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4776-309-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4776-178-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4868-65-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4868-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4868-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4868-79-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4868-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4872-528-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4872-247-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4908-156-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4908-285-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5188-796-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5188-542-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5884-493-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5884-600-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6004-517-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6004-789-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download