1f9755832a5916265675b096d72456ce234945ef856ba1ce8d2a09285be43bf0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
Size

5.5MB
MD5

30726536968e44b0155d448a0c5b0355
SHA1

6e81ddc3171d2cc2e07300f72df078910583cd35
SHA256

1f9755832a5916265675b096d72456ce234945ef856ba1ce8d2a09285be43bf0
SHA512

ba22d11267737e20737a9238f9f76662f9d0f2b07a8a62a20a611833e69dd5fcce48e3f16485f5d980a8c88e310c452a6949a07eaa112d5ac17cbaf1a5854975
SSDEEP

49152:SEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfF:4AI5pAdVJn9tbnR1VgBVm7qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3656	alg.exe
4336	DiagnosticsHub.StandardCollector.Service.exe
2184	fxssvc.exe
5032	elevation_service.exe
2972	elevation_service.exe
3600	maintenanceservice.exe
3944	msdtc.exe
1728	OSE.EXE
4620	PerceptionSimulationService.exe
2084	perfhost.exe
2820	locator.exe
3128	SensorDataService.exe
2416	snmptrap.exe
3092	spectrum.exe
844	ssh-agent.exe
4976	TieringEngineService.exe
2728	AgentService.exe
1060	vds.exe
4164	vssvc.exe
3540	wbengine.exe
3968	WmiApSrv.exe
4280	SearchIndexer.exe
5852	chrmstp.exe
5976	chrmstp.exe
6128	chrmstp.exe
5344	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 34 IoCs

Processes:

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exealg.exe2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exemsdtc.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c63703ca85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exealg.exechrmstp.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587720606537126"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000026529005399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082c67fff5299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a59e86005399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0896cff5299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c639cff5299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a75afff5299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exechrome.exe

pid	process
1128	chrome.exe
1128	chrome.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
3408	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
5892	chrome.exe
5892	chrome.exe
5892	chrome.exe
5892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1128 chrome.exe
1128 chrome.exe
1128 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1644	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
Token: SeAuditPrivilege	2184	fxssvc.exe
Token: SeRestorePrivilege	4976	TieringEngineService.exe
Token: SeManageVolumePrivilege	4976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2728	AgentService.exe
Token: SeBackupPrivilege	4164	vssvc.exe
Token: SeRestorePrivilege	4164	vssvc.exe
Token: SeAuditPrivilege	4164	vssvc.exe
Token: SeBackupPrivilege	3540	wbengine.exe
Token: SeRestorePrivilege	3540	wbengine.exe
Token: SeSecurityPrivilege	3540	wbengine.exe
Token: 33	4280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe
Token: SeCreatePagefilePrivilege	1128	chrome.exe
Token: SeShutdownPrivilege	1128	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1128 chrome.exe
1128 chrome.exe
1128 chrome.exe
6128 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exechrome.exe

description	pid	process	target process
PID 1644 wrote to memory of 3408	1644	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
PID 1644 wrote to memory of 3408	1644	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
PID 1644 wrote to memory of 1128	1644	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe	chrome.exe
PID 1644 wrote to memory of 1128	1644	2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe	chrome.exe
PID 1128 wrote to memory of 2824	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 2824	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 700	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 4868	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 4868	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe
PID 1128 wrote to memory of 3980	1128	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_30726536968e44b0155d448a0c5b0355_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2a0,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca554cc40,0x7ffca554cc4c,0x7ffca554cc58
3⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1912 /prefetch:2
3⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2400 /prefetch:8
3⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3136 /prefetch:1
3⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
3⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3848 /prefetch:1
3⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4852 /prefetch:8
3⤵
PID:5836

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5852

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5976

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6128

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4632,i,8915348510394392333,10605535347017297758,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4612 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1120

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3092

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5536

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8791ffaba48120a73a524ccf77475c99

SHA1
6b91061a2fe5f7067a5f966b217eaeaa610c8eb0

SHA256
3febddb59d8d7ede58b07aa0c184b0f2d9e69a30127d15aac4fd90081719445a

SHA512
d1ac241ad1f156e289b843d65fb4a1262f93a131ec67c1c590753fca51edac77b394a4b9b6436a39ed93608318bac82c4c906a2fc6bad8fc30ab5486982379a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
1ad17ab58595ad6962a833623ce8a179

SHA1
70aec491a06215dd8bb2f48a28fff8a957991368

SHA256
84fccae54e8e809a2cd967b7483db5e1cdd3cef075575b4f06caea395c66fc28

SHA512
3007cf7f5cf3e17375944cc045927a9b94a5ab656c35e20f3bd8603c2d1c1828e8cf27e18252160530edc50c4170685efd6000c179ee5282fff6ae6e8eead3bf

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
07dd1368aa808f02b33ee8f336aae639

SHA1
3971292d1c535683748aa6a58ba688cd862403dd

SHA256
4bba35da4429da6174d445f4174359b3ab8202556a426cb86807bb9a766b05ac

SHA512
5dec164cf98496b109c4170e147e7bc52e2118ab6352772f5cd73f0b2e1f594702800fcb0c460b1e2daaf626b129a82c075c0867fbb9582f02a7c244ed209320

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8fac32c0552337687b01420a88f17741

SHA1
233a2179929b156c5d985c450f8b1007cc8d534e

SHA256
a55a07d78a8c5484646a67f8c43e4616720abecb91dc887f9f81c0a4ca95ddbc

SHA512
3b2b4954912cc5d0d5446df2999110e446385b60f1cec33e8b1e4f78225dedcc9ea068bf8faa272838e85e8508f1b5e23a019512cbd6957150f54f86b3b88e26

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
68c1bdd957c42e6de7b52cea830aa708

SHA1
66d6dbc5b9a51d301c07aa0cc4d361e6a0e822b6

SHA256
7e561ef8499851c372e6eb684f82e8f2f8f44fe35d372f3b36fefb7ceb0ddeb5

SHA512
09e6041ca761297b737c64e618d0516b6b4bcf65111a2d34dc131dac0a37fe198b582d3116d44d4e89b07adc1a471e2776b38f33d3d34f0880bd840924494bf8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
de3cae75ed33a772efa8f200564eab6c

SHA1
b1d231b867a9ed309c928860fb5310e389d38929

SHA256
0fc826efb03444b34d0122cee6743f5fe4173068ff1f6ba367f4961250c07995

SHA512
ea68638142dffffcfa0d3ee1e7a96564ba086d3ed33ab6ae92d9d2cc894aeb30d7ec1db96adb039cc55de8ff78b8b3fa05788ea64c99ed28271880cdf3aee5dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
c606f86b61bb47eeb9543eb9f1b00e96

SHA1
b62446177ad010ff6644a4a2090d04d221bb915b

SHA256
a2e245715fb4fb3869c5572ebef35a69326bac9c5589d856ac9cac04ffb33db8

SHA512
6cd04187a6c4fb07552f04e74db03e9b36fe6812de1831323d61f184f30bedbc440af1b208f6362463271257ce6cf5f27f1e22b0590517f4f49ff99b5cedcb3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4e30ca40ba19b967f09111150b74c6ad

SHA1
1b05cadee0556b0ea72cfe2d71a2dc8bde4d0676

SHA256
3c431cdd9453aa2568efe7e2b200cf7aa1f0152cf2906167225b7abc0228d619

SHA512
7ec42a5a1a9da7d4b05a45f03cebeb5fa4764e968cc9a664282f1d8fb04e0400025698bf96dc2b4394206e77dcd0adadf9c0698b6b4626e68780fb0168387a2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
16307aabb7c7329e37d184fec66e81ce

SHA1
4fee2c14aa43b28120cbf3e247e5d5388a66c73a

SHA256
af6a6df04ef80cab153f1de5410fa947dee8aa7b17cd76037474ea7052376c2a

SHA512
5269118f84da96e3caa04494eeb38142450e8119d463576478e64602d7148cc1271cc470692620d83d6fec549e814455abdf51068db01dbadf5110a4646b6252

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ecfe8b44ab16dd4bf7ce43474d0e66d5

SHA1
c787f2afcd862831e2d46913333d8d435556ad58

SHA256
484882c6d48858dc63d1966db28d29bc85f0f97ada139c4782d9b2313aaac5b9

SHA512
9036dd631f8dbf900dd1fc78a731db016bcdd10271ac31675feb2750cbee375ed5a2e524be1d4cb0d9f394b320f2e7c63cc4fba36c3491e79c4a313334caddb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ca9d2963a60b51885748a6aaf888f27b

SHA1
48126cb588f5f6b65b82fc84070d7feabfe0922e

SHA256
59e3a88e2507690cea5feb89b3296e9e9165a5ceb5194f00d29b1836f978f75c

SHA512
f5ff626fd3ca91404ee807084b6c4015a671a414da859194a7daabf1b3e951545705e8f24eaa5255165ea0f7b41c84a261e6b39c8f53e4c60f54c4709dd9d636

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
76ae8b426dcefb98825729a9b7c5a89d

SHA1
e1e221b473b97fe1c7800c1dab0ac39971a85304

SHA256
636c7cce4ac9495786ed5241b22cfcbd562f9b8491a2450b905a4033972ba317

SHA512
231b5117e747833b29f0bfe4bded2ee506845a70a559b9b262b006d7501b57063ab7c54dc324c34159589ed5d5687cb219a1a067e588138a951108a685aec1b6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
16438255d9f01f19a32eeac22520900a

SHA1
b8039529355e60dc8447c1cf465e8ea2ac1086f8

SHA256
fc80afb1f770c581d53f4ccf9d96ad079b7a9add3331ed9004f164ab8787052b

SHA512
88e84cfd80b76495082cdf09ad5f9397bd9e187fa21cc461d84ecd2d05e966d5569efd72f5551878bec0199bbc6828bc3c979eb7bc57ecc96b52221856ccc4d7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
3185000cdb047f13fde1e99d7d29b84f

SHA1
d1d7bd691d1b2f2d476ccd3bd8a252867da23907

SHA256
9f735c84b778f895ccb78116ce7922182c2ac083a2a7557a40b0075156a05e94

SHA512
35207e72199ae8d4d82bfa2b6b5dc976dcc6a8a588887b15ab4252b4709a42482b735dd89b8f076b9f7c5c3e59f47aea8c3612330cfd436c72dbff916e8157a9

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
74065e6026611a53e5d2924d172fa73a

SHA1
2f3ae5b2a1a8301eeb66cc2d76148b15d924ef6d

SHA256
08c3ddf2cbd177242db08a37816816921324828817bf423bfb4ab9fdc41dec4a

SHA512
3247bd9e267c5af0a67badf63ab09578f5417bb6137e55c896ce9d141a230733637f1a3f80ec8109f6288f0d6957daef3f606f9821918feef560eb52c6e95f67

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
07dc38faa153d37f1e30bc7756b710dd

SHA1
00301a32cef9d3864abcad45255c16945265d84c

SHA256
3ead9148f1063e1806bba3e721841997463ec551be0be1d3d3e82de018f536c3

SHA512
5f0fc3bf2ee05af088e6d66e572ccf93ad9e6a3ea324e1e368ddd3cf7dc945e06f08591d85bb05beadd5e0344ee2043b8ea48944ccd89bb43067eee1b1f7a20a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
b2f080f7db0e0d18b4c71e53d057b3c2

SHA1
8d6f9e3593066ff5907468a0d9beaa76ca53b162

SHA256
b4f75bc4ea23eb863a2f8fcb94ba28a608eae13f378163b7a0fcea2d34c77cd4

SHA512
f1f619181ea8c135bfd155bab0e16df293250b9a470e14556e7d53122533bff52575006938d132864391e811f6c9d971a088034dd4bf4b8c9b118ca4d56a91dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
f826b8b2ffa7abc15365e134af7c2b97

SHA1
b201e9d1af1d418281ae11b6fa1f06941f574574

SHA256
e31ebe8b07db124b0dff1ad21d18809f60ba19fde8ccacf51d5b71a15b656f35

SHA512
85381abf40fafc916c3ba0fe9044b26ef5dd2e6ad7ffe188f9fb4f6b1f5b54e754707539caacb1fc6b2894750b7ab07cf6725a25b9585a4098b9b004ed252f47

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
e6f5f84b17f982ac6b06f5f49063241e

SHA1
dfc88c5c7fb071710c2f5c2bdd3a3144b67b78aa

SHA256
ea3ef7dbbf30f2cd38806e704060538ebc6dd2584412673dbb39f4c1a22511e0

SHA512
448090c8caeda77d9b762dff85568c294e8f133fb98e322417ede4577fe4dfdbb3d67f43a12bdd34dd0e8b88c4252fc2e94432ebb355e8d2ceda19028c40ee08

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
b1571b117014e2c4e082d425a84d42f4

SHA1
4626f9e63420272d5b28489b59e6ea30c489c4c4

SHA256
66127bbb9980fe44a35c57d1cd79193c6694c2e6f8e485420989fff6aa65b239

SHA512
b7145cfa80a5ea26f69e8b0acabc9dc7319e29c04311bbf2ba91058d77f0e8e6e573be28f85ce2fb52e334578c67ebe73bb5af1b38b5a55f37f74df2c6cdbb5a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\eb76bd89-ac53-4e8c-8449-7b571d0eafd9.tmp
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
c4a4952e15f54b3d2457d8b23ec56119

SHA1
f8d49b65946f3b6369271124c7e3698337118ac7

SHA256
27643c1ceaddb7a5a531bccabaf09aa11dbf5805cc1f5c2cb72c92beaa3af9aa

SHA512
53faa76b3d19d37c02840a1f24c2974ba09a8d11101eb7e20a7130e28962e74f90c4fcbaa266b348b36f287906eed6acc8ea17f70bffc8c80d7622eb6550482f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b0f4105358923bc44e368c10e036c7fb

SHA1
5f1298fb73cda664aabd750313d7c3ac8ed11b16

SHA256
f6fb8cad648248d34b5b77fca27797a992cddcc63023212e1b283dc3a41822a3

SHA512
849624f9e558cf40a283ea63c8f3dc8de7e48f5ac336134b1bf4997a80a8a155b5a30d9440efaade3e20e44268c015659398ce5bfc207488cca218cdafd3ec17

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
586fe1a0012a42eb1c119ff697795029

SHA1
b286359836899d2b35be38648f6dc9f367591350

SHA256
fdf84ce27fd61549808dbe5599da36e8253241179afa3c7c204062bbd79b81f3

SHA512
030565c798d0b48d51b9c00928f0a888b91bdedba0f7a57fdad541945a626d260433dbbfbebf78c9188b68a4a4b1e2cc2eb92c0dbb755893fa8f745dcfb6d7ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
fb840ce5c59746251d432af07ad6b114

SHA1
7a737e1cbad6f3a8142aafffd8fffd9b27416b7a

SHA256
176c9896cb54c42d64c93847689affbb07ddc8047664774e911f68ec284ae22e

SHA512
cbf1c53e826dbb18a2e9689553fbfc4db59db0ce2725ac174c832e7e9055e221a78d01454ec16958ce0857f67e6a145eda163c5587c4f5d7635c6189dfc0bdb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
6adaf789f47bbadda34d77bb5321dedb

SHA1
4163ccc02ddf4710e843355667a824347863396e

SHA256
bc9d255b1140901ae2483ed3597d730462d33a1719b7047995caa4b5c084daaf

SHA512
2f983f894f2125bdd29ca2ceb2e6a5f0f15deb4dacaf684813f0f321563587dfcc2e78f95cca414aeb527d7631334143fe44a25fe7b2dd368266162fd5acb261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5aaa55f61615eda5e98548a0820d95eb

SHA1
6f6257aec90268784029d758067032d38de6c772

SHA256
238344bda6f1918b4153fc3eb054123d462193f74e5870cf06c11141879a2b70

SHA512
957baf974ec17ff0072ba01ab9dfc358dec27eb0fba316132b3b3aed0a8380580039cdfb70c155a7a5221e3fd6c00592a4c5518802e224a2407df353eeb48c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e60060a5f61e92d7a229197c59c3b81a

SHA1
11cb1d3bab858beb68be12821c4e435c3066d43d

SHA256
ca7ef749bae4379c643fa1a5e5d66f656146a89fcbb6e980889acd23bb27de8c

SHA512
fde6bb98bab402c46618fca0183ee7e129c4c468c2bb848be999730088b6494cef3636b0083289f4b3afd252c6762ea29e0d986329453a57382271756141d85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7f97a194068f7efc1e5f8891d45a6d47

SHA1
7be670883b3e7ce16927e0d8ee274dc7502cca22

SHA256
6d598c367a9bca2bf060273886cb492bc566276e4532f858102d5c2783407e95

SHA512
7b6815b33cd73248706b893345bf9c53e01605043dac29eb6e0ff5947455e75fb6fcdd9e06511d0410cba7a26b4a7e15c836a827a0d2a8ad83622ca229ffcdb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a3b6b4fc46faa9aa3d01b13f2ce7f07f

SHA1
c45afc50f6160694e5218c3b0f1bcfdf3552b26a

SHA256
15840d209ced1e87e2e85daee805eeb19233efeb679d6dab0234972b1d44ed28

SHA512
6e6dafdcfc4e45ae1f33fc1d566acd1ce2cac6a1878f47a2cb05c0f3edc9d092f0d32a22e70bbbe83d0a38962f255668961a3a95440576bc8e24a5b9ade0579c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9939cad24f9b43675bc9e35ea9b526c6

SHA1
39efec7ee27d97d4fbd32f082be66ece0fb5045a

SHA256
96490e8973ca0d02b73084ba41ba1e4f5c4494797989ebd71a701149ac8b90ba

SHA512
f47589f3bdabccdb950814eabb7bc9bc2d1c135f95dee49d0c19ec6b93115f33d0341b46d2ae75a3de82cec537030f3a6ad01bb6c97d57b26dc91fff832c324d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1e9c950417a5f4daab6b0624a5f54135

SHA1
cd0d7adea6a695c0c98acbefd7f320f08033f96d

SHA256
4addee554f11de223b12252feaa7574d674a8d3fbc9cb3e69ef58f232ed0ab3b

SHA512
40f8d403b6a6be15756f4f8afb2e2fdea48da74ca417d656c96f9316bd6b640d97159a9b112340f185d2d58e568326777f096268a0cfb83e5e0bbc0201f019a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2036204368bcede910949ed44721c661

SHA1
523f63fec08537c4b824b27b1d0fc2cbed8a2168

SHA256
04e9fbbacd513a25596beefa3cd8e765d08233aaa6838f210438d153195a7391

SHA512
01e1964cd41a8385dc191decebd0d260d1a2bb784cf314bd8530b62df78b50a7d5ac7054c405eb430dec46955c005ec3b48611990cee2adc941149e53661b538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9dc8dac6d07177ebd8b55f1ac026ac1e

SHA1
55bf3c619ce6e65620cea296873acb50202c86ee

SHA256
51d66feb1859758fea945ce966b4ae57b79bb44432eb57cd1972ddfefb93f0ec

SHA512
eb55cd700ca14d1312e0583c5fe27148b4a0cc563d8c381a379029d4bf8cd98c95b668eed926bb8fa248796c754a96f5a8a0c1b1f10afa73a612d9686a8b40fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3879c63911ed8f3a9b522426e06f01c8

SHA1
542fed2c5b869ee307872e2e62183efcf37d2fe2

SHA256
187e5272af8ca3ab71ee66b57291f1bef1cc2fbdac7a9d03d85b735b7d5d7c89

SHA512
8b97849c6f9ef78b51e26e1645e9b795bc1228324889f50dc6f4bf92c99154d4943bf4e1afbb3e161fb982b6f44d8031a7004c7743baf81b5711a91976e67391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5774c2.TMP
Filesize
1KB

MD5
69f8a9665c8123215c07fdaa0f1bf0c2

SHA1
1b2debf8c91062f49114dd637b86a231b588ec7b

SHA256
86c766084c1d4cc90e2f55d44636498026d07c9c558963f1555f46bd392c794e

SHA512
80f64ab132eacd012ca7ff52c54a8a04687f938360baf50b4d00494e4733d242661abe0ad5bace0a026796fc953faf574be8f7a39202f8800a608eba2045346f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
a1d4fb5863cd41c98d8a6c3c1ba819b8

SHA1
af5fb717479986b3aa8f1f63ed0e53a7e7a5880f

SHA256
c3638239102991640a5396cfe9720fb488c00ed2c6624329584641e7076c3589

SHA512
dfab45964df78b4c3bf72f60a3ba613291291fa76c549a5e26230d77f12a7e0c0e0002fc4e115dce4b6907e6f3098e7569e3faf65f87fa2ffd38a41248b60edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
89e08c7b770c40d8f2d5ac5b90af1326

SHA1
0cc991219a95482abfb49dc1abb1c4da5bc4feb4

SHA256
b4f88b17cccb6033c70988e55b671fe9d3e1dd4f8bdbf2fb9a8f317a374af0b0

SHA512
6e8c54fce808c66be1df36cc7b39ec840a6cb8ac95e3d75079fd4a6387c53dc5734226b8fee6cbe741e42c393b0c8830c5c0355513e802010461f88f7a186646

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
1e964c1f38a5dcbbbea4d6647ad9e370

SHA1
3bbfcfba1c8bbae2cdf431370ab6922c1d294453

SHA256
82be1e39462154c84e3fd391af6adb6beaa6aa2af6f6b47a5948990ef73c8c10

SHA512
89ba89a4ee8a46ffc5a758078d774d1e6cd3b133d6752aca1f0541edb659d83a36378b2b50c207faf0206d9a16be53c356b0a748592255a5e543f3a47ae0ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
565e7da824495c72e881d924cad4682f

SHA1
1d600c2120c5cfa68fec140eebe60693be104cdb

SHA256
6a5335b7b5452366843045b0c18ad456bcf35a44694d9439907d698dc82cf1db

SHA512
cdd192f838fb540f707e3fcb7da7d8e5d8413a5975f7ade5cfb60054418cccc5020e3af0905ff30d2e6da2ef6101d96364f7f3ba584f2c171900a37444cf694f

Download Submit
C:\Users\Admin\AppData\Roaming\c63703ca85ca13a2.bin
Filesize
12KB

MD5
fe5d9543d75a608043c49aef73dce6f7

SHA1
b6b4da8e2cc221e4ff97135dbeddd268cc6cd939

SHA256
a7ec873403a61d74b6c85c8520a21aba6c23227da93cfc85f743ee22403f3f3a

SHA512
19e80b33873c7d08cd707a6c42dd02c396e99d7cb704eef38d3ca8a681ccaad649b513fb9cc0231be3a63a4b26b7227ee215c24e19bb7488144280a35ed6a0d5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
d5bb5ed58d5fd50cd9e3029301716df2

SHA1
2196f8ac87f2edd80cfaabbfc491b321dc4a1aa2

SHA256
30ba8b3b0ac0afb8335c164a24c7f737710cde66bd35c86c85db708adc6fdcc1

SHA512
de7cab47ba2765871adfffe77f0118db3929bcdaaa09121260c8cffe9c558c9db224ed053ab7e69d81a459e9b6ffeeb5c9171bc46ff603ffc4f57e447f60c161

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
5fc8f6ab28b6f955e426f2ecd4c9833e

SHA1
7ce5c1de20d194a4e9eba810e4cbe13ee9e69141

SHA256
f33ac6677504e4301c6dfa3a13ebd38b248252dc65a373b52463b9bd2f84b762

SHA512
8a5e217b0f7403dc274e6a139c61cb462e09807c2f967d2fa90b596275bbad6c25ae1519b22426305a21be9d85a07706c1aaafb8e788c4fa59d68ff31cb51bc5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
64747f6744d793c6833bca6c09a7b87d

SHA1
3e771cb95ae3304efa44b1acd2fd2c147cfb9da1

SHA256
baccdd10c76794e69fb53803566e1596f6ec3b186f74956a0e12e5c3e3703e42

SHA512
ed27426e7a85567010feff64daa57a0ab7318345db42b5e137f1219a2393b7688c8a141d44795a7d95597695a5bb347eab2d45d094ec64d450d538bc4b4fe3ee

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
9e6d9dbf852ae67ed4d41f6106ba8ab4

SHA1
60e97387d2805a7a8ca6345949d107774115d087

SHA256
f560395443cc60e14f8947691e25924141c692a1a0682e95785aa25b4585a330

SHA512
7b39236a1a7f45bd4190208158775a9cca8d408517298cfe93b0066ea915deb5f716351290dc6d7939c7bbb80c9d109e127ac7c30a028ae0d2db849dfda99569

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
b1320db1c8c6ffb9390578a5d824287c

SHA1
adeacb5ea4c9f312a964aef86a7d7b6897650634

SHA256
6e8ad19a7198cf997395d61c5bb656c4e17f2e6eb7e6a1d82ca539be0afddeea

SHA512
8f842600683d11d2e58e6666b64eefacf4912902db316645aac8d83a083f04781df2c8a245552403765eadeb41a3f04d6f0b21fbd156edc9abde31c5d752f8b5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
a3659a9c367e2455ea0bfe8ee6312e2f

SHA1
f73891c880f7e1a0b89324ff847d56b89493af96

SHA256
115209dbfee6b8a92a1d5083ef615ce07caed2e00cf5e78c8482a1680c592144

SHA512
3aeb26559add3a9c6b3c8d0cec400c88e78bcb7dc4fe39c801f0e003b3d267f8c3f53b47c7a97e4cfff905f186bc3078928816b746d710454e30d0e0af07a4d0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
881d51b423798309d292edc3f2015f42

SHA1
6da14373571baab32cf0d6630a6f92ad6b898203

SHA256
5a896ec2d94f19188b174014c3e5114ba4f62f323e4f92d0ab95c2767842a012

SHA512
9f106fb7596f9c1949318206483414d7d7f733d47fc578a263ce9da4a108ca0d03771b14133c76771afd93db73d3706645364efce79ba2dacaff74b1e89b2e8e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
33cacbf9ba955338934ee4d27f480dec

SHA1
fc447bc068dd2e1ccfe5e7cfdafaeada723cde81

SHA256
9543f6a6ac9d215decda538f4ba805ab516d9e58d4cd4815130ce6d89b2cd1c8

SHA512
923dce0dcbb913f6e136ee848339d45946bc02bd731e09354d3cfb1696c5efd0ebe3717800467bbd807ead3bc3adb458beb7968961a5681b678658c8973a733a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bb89fb84b3b3df888438a5b6af8c6299

SHA1
495f6c2795159853d1b452aba72dc615b6861536

SHA256
6f0602229dc9e92b708160ecdd2ecbcbdfaab93dc999dae63d3100109e63b789

SHA512
2d9109997bfd055728199b8ee00e835f02c74659e1d88ec15cf308fcfe1cb6cd85675eccf50d6cc31bfa0960266660d0de06700d7f9e9d38e788ad243584c73e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8b2cf565c32a9b0784fbc2e0e283018e

SHA1
070cce678a2ae5786ab348fe78ac73ecb042a8ad

SHA256
96de40b77fd5c83f5bc6202d795d27796dfde1020615b1e08076dd4f1967ed44

SHA512
dc580c07e8a6565b2034807ff7e2176e7821768115879ae424ac1de46ad686721d0bfd594ff0aab0000c48906b7e6d158ddf83d800f79d4c56c94edab678e4fa

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
e93c28f658ca9b1e278fc79912f91621

SHA1
778e8219859453fee2da8b62e2e85c0fda422e1d

SHA256
621adcadcf135eb5daaf0d46897ea0e257ae1c69e03887eb5c84a6fe9bbd63ee

SHA512
aa926ec38c92cf52bac5453ac6c2adba786204587d4b9df4d653fd71474b020dd678f4b04f3c711ab8904ee9321f82e483e2ab021abae105140dc7c2f651db73

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
7fa2af89f7601517b236ce28716fda24

SHA1
135c2e734e5c430d818786b75f1d0c18f2ac81e1

SHA256
77ad1a1a6d907bcec7a13553cddfd47cae4811ab0219496040cc3d6f69feea3b

SHA512
c463a2e03a05535758f5bd80e7ac6118faaa844298d74eb080f052c2b64360d9ef01d7968dc04555ccc717855e9806449a18caeeb687af9591d3e228d91c04f3

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
515ce8091cbf1e8348cbf598c090b5da

SHA1
24f667e827763bf6acf6f9a55cfd935893efc863

SHA256
b278224c182f259e155b52173164fbcf601f212b5d893bd278ddd4439addfcde

SHA512
acdaede4218bec007fe92948630aa50b95e2a46d7c5ad01ca0c43c5d77a2f15c462d9c99ac335fdc575f68a7a603954f4845d3c2966f2e5860d9e2e07da47998

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
203fe0ac6fc4850f70a0b5686493fc5c

SHA1
3bc7096faa5a732839e77026d7a59a3a1241c90f

SHA256
941c0f019b4047bdc78580001947051b21fd7d8aa7710d51af5833e4f0cbe08f

SHA512
57d44aa29fac93b4be05006d27230734334d8027d28575bdc042b8834d9c0ef4d691cadadeea65c156e24fcd419bff0e1d168c0eaa060bf71d6240eb75f32493

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
ba5b84f42c0c37c8e516069c10ef839e

SHA1
8bde910d83570c890c216b0c5b1d2d2e3b25ab00

SHA256
fba0bf667e1ab60b616b6b6cbf6087a900801a011b1797e6a392619de4752a45

SHA512
57258c19c176d65735277587234af8b80abf6da339efcdf50390197ddeecfaa1a52eded9f807d538b9de0929ef274781ce621864af8c5d52ca229dc421c06ef0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5b4890fd59bcd60b4c26c9b4630d8359

SHA1
7926a7b98ef39c177d51c3896bf97518972d37de

SHA256
c5d565e464d4d63d11f50c7a39737ee26156e9dfb7b8c0b1c5afec5c686c4df3

SHA512
fb8a336899395634f6644ec6cf288082451ee7ef479ff1f6b30ceb42c8c8b85d486094989f10a501b3f759723ea77bd216a4de8cdbaead2e879814b7855506f6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
e579359a60bef02178afa218ba5dcb10

SHA1
6d1f257136e53443dabafa514d5e346f7c36698e

SHA256
7e1605a6736e1afa7fdb7c3a16b0f7e7eb86d3e919633b38d502e1be635dcec2

SHA512
e823b3a80448522e924df1ce39eeab4004654ab1f74e3164813a58012957e180d73f3ed74bf27fffba17c635d333355b98fc9f6816187245b0fbbe0cedcf49d1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f477ea13b6612d5d2d83860439016130

SHA1
7d5003592e773c9b92c3b5a5d583605a8ec82eed

SHA256
892ae596cff904599f909d4222a96a9fb9b462d5db0bc6ff0ff43fd049b30f2d

SHA512
8ccaeba399769b4e1505d55b4a8ff738561748e4a6dd823a7b47c3b74cceab3cc066874f3a81a242de9e12b023af5980ec8085dc78a56cf116ecc8c16d9ba8a8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9b778c2b5e106ffca171b510fbceba87

SHA1
956426e5785786397f082694f80e64a785589212

SHA256
81f3a8b106a78a77c247c76a8bd3bdb01dd05e2c32b10e8f7096b566847bff77

SHA512
664ac50af021a8a5e71abf948cc1cb0fa00154c4348f402d2210b0ba7a3b35d0c1548ddb28974ea6433dbe9d511a440be9b477e7a216b329a871ec2edf42b44b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
fb83069a948aa68a0c7f621b7ce13730

SHA1
85c88f304daa5e2b812abe7ee89ca05c07101418

SHA256
8a56febf5092f5413d1a1f4d29be5d9a53a2b6160f1a0b4c371bd2eb9d394cee

SHA512
a21c44518f61f7f18eea364f4db292b1cffed570dedcf7bb744403bef9251fd818d3e7121155f75ad324b0987e6cd4433f79dca11a0e97cf03c2008566e92dbd

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
82c9a7c88fe22a2c9223553225dcf510

SHA1
4caebcf3e971104cb1db6e39cfe3a700fa2cef97

SHA256
d6ff87d19ba32f9b6d77c33d30fdf8dd96b78590466cbf175ed698097408a060

SHA512
2ea2169adfcefc8a47e6ba59508bbfaa37b70f433442203a58e8ff1fdc44371be13a6eb4385646e97a15a742892b81bf4226f4268d16bf3a406072aa65d9fe4a

Download Submit
\??\pipe\crashpad_1128_HSUWWPEYQBQBLOWU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/844-361-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1060-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1644-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1644-34-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1644-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1644-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1644-9-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1728-344-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2084-351-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2184-87-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2184-64-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2184-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-58-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2416-354-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2728-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2820-352-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2972-343-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2972-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2972-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2972-731-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3092-360-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3128-353-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3128-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3408-554-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3408-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3408-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3408-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3540-369-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3600-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3600-103-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3656-31-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3656-615-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3656-32-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3656-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3944-341-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3968-371-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3968-732-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4164-365-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4280-733-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4280-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4336-44-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4336-616-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4336-54-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4336-45-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4620-350-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4976-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5032-342-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5032-461-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5032-74-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5032-68-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5344-745-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5344-568-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5852-531-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5852-590-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5976-541-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5976-734-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6128-565-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6128-578-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download