d8e94007f09934c74ccd2f0ccd9ca88fa1cf601afe95eedf5e7a85e63a88b7ee

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
Size

5.5MB
MD5

e9b6a6a4b94d9acfbc0823a4923b6987
SHA1

a40ff2b3de9976cd19679a0a991cf78bf9c695fb
SHA256

d8e94007f09934c74ccd2f0ccd9ca88fa1cf601afe95eedf5e7a85e63a88b7ee
SHA512

633f3c38cc2b4f32e521825b0a37e4bb477559f1aa896d8a891b37922db39ea9fc37d8e00904072f915144b47cf81f5f37ca79c0d8e40c0fd13fa859780aba37
SSDEEP

98304:BAI5pAdVJn9tbnR1VgBVmJHFdi4VEk0V:BAsCh7XYsLiJk0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3064	alg.exe
3348	DiagnosticsHub.StandardCollector.Service.exe
4672	fxssvc.exe
1448	elevation_service.exe
4836	elevation_service.exe
4088	maintenanceservice.exe
3008	msdtc.exe
1036	OSE.EXE
4652	PerceptionSimulationService.exe
804	perfhost.exe
872	locator.exe
4368	SensorDataService.exe
4012	snmptrap.exe
5136	spectrum.exe
5348	ssh-agent.exe
5548	TieringEngineService.exe
5748	AgentService.exe
6012	vds.exe
5144	vssvc.exe
5196	wbengine.exe
5572	WmiApSrv.exe
808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exemsdtc.exealg.exe2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1d8d6912b574d51.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exemaintenanceservice.exe2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583852976789343"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009985347cce95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d0f3e7cce95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f41f37cce95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c633837cce95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e74027cce95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exechrome.exe

pid	process
3512	chrome.exe
3512	chrome.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
1176	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
3512	chrome.exe
3512	chrome.exe
6920	chrome.exe
6920	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1812	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
Token: SeAuditPrivilege	4672	fxssvc.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeRestorePrivilege	5548	TieringEngineService.exe
Token: SeManageVolumePrivilege	5548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5748	AgentService.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeBackupPrivilege	5144	vssvc.exe
Token: SeRestorePrivilege	5144	vssvc.exe
Token: SeAuditPrivilege	5144	vssvc.exe
Token: SeBackupPrivilege	5196	wbengine.exe
Token: SeRestorePrivilege	5196	wbengine.exe
Token: SeSecurityPrivilege	5196	wbengine.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: 33	808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
5988 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exechrome.exe

description	pid	process	target process
PID 1812 wrote to memory of 1176	1812	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
PID 1812 wrote to memory of 1176	1812	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
PID 1812 wrote to memory of 3512	1812	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe	chrome.exe
PID 1812 wrote to memory of 3512	1812	2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe	chrome.exe
PID 3512 wrote to memory of 4188	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 4188	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 2204	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 3860	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 3860	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe
PID 3512 wrote to memory of 1816	3512	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-23_e9b6a6a4b94d9acfbc0823a4923b6987_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8184bab58,0x7ff8184bab68,0x7ff8184bab78
3⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:2
3⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:1
3⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:1
3⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:1
3⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:5328

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x204,0x244,0x7ff6d67dae48,0x7ff6d67dae58,0x7ff6d67dae68
4⤵
PID:5892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d67dae48,0x7ff6d67dae58,0x7ff6d67dae68
5⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:6672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:6688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:8
3⤵
PID:6820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1920,i,8296860797279387848,2870264642200905589,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1244

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
63c49a749e6ce0ab21b03a243ec77a65

SHA1
337c10bdff8e06d09b19286537db08d6984482b6

SHA256
e2b298ce0921dbd912bd6fb6a7da58253fb9d07d7e3ba0cc30a1bbb24ec69c5f

SHA512
6100f1209760996dd9515227834ed854f3e686a1b3a94a82f577764e807ec5825744e2631e001d63908bf010161f527c5a539bb19617a00aa1ffe82b085a2a1d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
e9d4c799a1fbf225909a69734e1a9d82

SHA1
148f81f096bb5b25afc92dd7ccc181c34991a257

SHA256
0732a070b507094d9d8f3e2370d6093ed9f70383f95bdf80557d75ffc7382895

SHA512
faa8bfe3bb90fa6bf6a66464c8d8e6311355c72795f28d4e33bf7e859711d8048031ea7649f3d5ba29479a760529f8d711bc84b035d22e16c4abf2baef16037d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
8964de1087e1e0494823b81b57deab14

SHA1
b2ae78573c47397302deacfb5db785bce8a4d4bb

SHA256
0e7fcb9d6a436775db518ae763478a02ba29f8ae5ddb82584c672d4f84634f43

SHA512
6740190db6efaf13ea9bb16d227b3cd1eb9f03d4ed8e0eeb8856779dc6702d2005444b34fe993228349b0cccabdaba2534ba73f398bd451a89bd41699acf5ad4

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d4e5e18293d1279e7fbde9d30c6d43e1

SHA1
5cff1cc5f0efda9784c2449cafca11277da95c09

SHA256
3756a7f51de374f08d9c1dcbd2d0dd804ea617ad5437c9c7dbe3ff945d5cfed6

SHA512
8867e5815f10ca2059b052dd9b86ade874d9aa5ee056c3f4ca0f4951786c13a6acb654037883f1a234f9ab36010a31c85f2aad22958f4f2ac9c1d8d45dad488c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
09ecb2c0f71863b823121d45f45a5082

SHA1
00f15ceeeda0502ce2ed1d11827efd814388892e

SHA256
ff45ce6d654616298a902844ec1b31aedcfd8b85f3b7b88b1cf57cd39ef3f7d8

SHA512
38cff634a17055bbf452eaab6dd4051e1f0aac8c39148583550873c711bfcd89606608f0dc7e136c0e52f4394c0aa06202c8f4e79a43512c43c1ac0c3c6ca91c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f4d06282a5f13702fedf474f0588997c

SHA1
2ba13f337658275bf894f84f2855ebb5121f2a9c

SHA256
8e0a15c40950c3d7d424d2a54881ed72c47cd28fc155acc8d46395288a3c0b22

SHA512
79fa8beaffbe03c47344a2345ffdbdeae925de3ea3d426c82fea21bbeed878a08362ab9260f855ec88e5aa1c5ff2a918d39f84e63f88089f349658b6578c8cd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
33a79257e2909cd80aff0b84d2a3f661

SHA1
28330739d843815e59d599ee25895211e1c5341d

SHA256
98046f6b977c4c22ce08d9fcc1bd4cb01752e413fcf120515681336c0429faf8

SHA512
bcafcdcf6576a7401103256758b49dd3ef59432932b04eb7a29fa540df1c5b2cd522de08c53a59a6ead7676052bd2aa396b22b0dac35fc182468e5a04790480e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
474e86f82f8da7a24317f11d85aba4d9

SHA1
377aaae0ab764c1c1b34701ade700417bdd65669

SHA256
b7873747f3a3e0e9ce8efd2e5242b7800af6f9e4d795c7b06017e7eb43db77c6

SHA512
af783e2a7d0b4a0782c34eaa36b71adf20508d54a61f7f3f5b58729afb4bd025b217f8a05cb71535a1821b0b1c29b2540d3b8aa560efec8ebf77e2c06838f342

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9260f8d9c797dac071fd4aecc1ab317d

SHA1
e267b96823f6e7a6f1a81e9627319986c03a471e

SHA256
c8aba4f54f0fc902c5acf16cdd07f5e26a3bd3c3bcc9c8d419877a45f1e56d89

SHA512
0fba6f5d389e4eda35f513eefd1eff68d597fabc91481fcfc4e257168e69947b796a514424bb3382f902e4fd7406de6c58c88b0a629ccee7566873e00d47454a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c2ea5dba8eab1754fc90afc5aea8ea92

SHA1
76f3fdba95233e8a8d6b830f3393cb68e0000997

SHA256
7ae24e2fb3f34b38eb6d6ea127a7f1f4bab5110d2f2b92dae00e3a639f988048

SHA512
ab7ca10148b1c74cc0666da277767edbc6cd491b94dc4374e93875d6deeb3a661169de3b85a2aa7a60877187e6e642a8615f08b0b883bc05381074bec1f3212b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
be331e4dfec6aa65e7ddc0f62c860dff

SHA1
c1eaa387aed2ae227bb0087b4744dd8246659973

SHA256
8a8e8497465ae013c2812f172b69ebb01188389609356f55f149c5636db62e62

SHA512
8469d9bb36eabddced4cc40143f0c8af86c61b18aa626a666dd76c3054e02626ba7264446042bfb5c1abecf675db23385ab8f7dcf928370de4fd57ff200677e0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3208de6dc02e3ed2c5689ca73e46ff14

SHA1
df589db678de5b310b738eda30df8e5e3e4f3f7d

SHA256
39ea74eaf0129f5a882bda64535abc3c657b722c941ae3046289b6fc01d9b29b

SHA512
058d4a1378dc5e848d9f940395da1b03cbb68d0f20716c5d02e32d388950c397039c78d5b9c286c31692787ba780d94490a93c0dc8b5d49215596d1be2791743

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4714024b42bd99ce6b7b4b4df8a44331

SHA1
2170d3a17dbb9c685e972696a95cf6a27929d42e

SHA256
21f44b187bf8fe7d3bbbfb9b8b07bd5e7dcd4c1a5421892b324b03aa172bc8a2

SHA512
be1a8c9824a21f59ac97649064e5baeb8fb0e3294df6a12d4fca2e9913912bf2fba9a051315620660848ead56fb811064fe7bc70447900f42604c55c85d95feb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\78e8ac4f-51a7-4f4c-8263-88ca594984cf.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8894295d55316459b8e688717ece018e

SHA1
4e461f67f1003baa7e62bf8b7c03c57f62796f2a

SHA256
61f462b426efd2871ba3716dbea66b79965ebd64d8291506a57f9cf1bcc8c676

SHA512
7f47b597ce5cd58a594de9d6fc8dd2b0dc277298abe6809d76b76f913c03cc853e41e41b3942d54bc69ec3f775271ae27a9d49e76f7ebb888f675f67de7eb481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\74e9a11e-691c-4be8-b343-2242ff3805ab.tmp
Filesize
91KB

MD5
f6652b67dc922c418a4cb2ec51dbf893

SHA1
3b7f0503e0f6b7d7e83961be07ae3957aa5ac707

SHA256
606ff153317fbd5510293ac6ba90b86b335981d2cee2d227a58392d668c9cff5

SHA512
d2514522923e182c39006a896a35edbafe4ca73d0b81588c505d19ed3e1de0c9c8cb9fb407ec8ae88466f97d0b302face2e4a616e06438f9855d2b34f4f1e772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
450092d409ea8bde7e3ca1247fc0de4a

SHA1
f021476a1ce1a12f956b79635e5d5f36c2d2a4b9

SHA256
ca89da096c19ce02a68a898f6107765e7e4f005843d72d8447098c38d18e73a7

SHA512
d8d879b863ed265eded8c2af06151f3685c2345c17c568c119adc3e435be020232c731930083d3bc1f93ef1efb65670b70dc0e8c5fcc507aa972d45f016d388e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6b7fcbd3-be89-4bfd-9e63-cf85322451c4.tmp
Filesize
5KB

MD5
e71bb7482162caf02d944bf00b182c85

SHA1
ec9ab496cb1db959da867012d9d194d8ea6f2c6e

SHA256
a7f01ce59755d9ef50c1df3239dd8c4a9a0ce32c5831a87f7c0aac6622b845a6

SHA512
d809ebb20b1efd84936af3140d27bcb8d54d9aab8b6ad6b6bdcabc2403fbf9962926e4d9796abc15628046c211e319e985244036009bc5599819d5f293e43bd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
6e40919b471ef2bd5d33d4a284057852

SHA1
b688e1a308c285bee77973d17b151063c4cae792

SHA256
ead3bc1c291878c40091856ce118eb1d454e98a8b62f088af3eec894080e2cce

SHA512
9b818c4536ca911930ed3bbca6d44095168d06b4b2c52410d6e18e8949176f6635b8783020691876b5c19c7fa776cdadeadee2eba15c56e6377987da8fa52f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
4f30e80910d9f3e4fcaf251c3e7527da

SHA1
f96977a179c1c7d3ff7270aa9572f6f59e4ed121

SHA256
1c7aa6faac575c038a968f7b893f1c871566ba00c7746f9374edcf54756f329e

SHA512
3d52aec4d3bcf18849793dc26a7af30008fe7d4dc0ae0545cb499c20402c398c68c9ca248ccc16bfc45cc01f3a9a3dc4e34923adb67337395474f0b10be75ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5755b1.TMP
Filesize
2KB

MD5
fab391fe9ab5e7d3bc5f362ff6abcd2a

SHA1
584ee1c2d71c3ef2b40290b8c4cf056a0d3c975f

SHA256
73d64236fe1335c0f3c014e6d2ae8f6e5d0ec10cf332528652ef1775abc7b09b

SHA512
4724c8527fe6f96fe0d2211c958b58603cf64a0275e152c82716ede335044ddf0f5ac54ea5743bfcae11a751e69f8381b32586f9622e4f5572386a2efa765320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
1b6a4fb136cfa522ce14e6052e91d041

SHA1
bfae20e9d5acc66bb9494c211c06ffa4d065068b

SHA256
3c079ae8d1da95172fb4c8e2ecb70ab127ab48daa41a4b844d0675098e11a013

SHA512
427868d4df7b105d8ca1f84d98e2371341200cdc2fbedfd4309dfbe54f04db7140e29fdff7763ff0c633ce06966eebfa996d34d7bb3a302a18fe82ba8f657ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
254KB

MD5
b36e63ff57ff231993b9405badfae8fb

SHA1
29183d8a4a6b847e0aa2dc323950495dcf5b98c3

SHA256
b13e9654a4a97088283b0649b29a4b1637cc262209d8b6b17acb9436d311942f

SHA512
ad9b40751436bdeed9727a6496406e3a5a265c6c8d459716c927245d95446e7384409cebab5367b2a7426ba5778fdef61574ab774ab740c043943c59eb6afec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
161409adb0de66ec03fbef92df81fb91

SHA1
d2d9f421b69d28fbe1cf53fcfc10677c193251ce

SHA256
3267ff5fb94c6cf7c855e5a341ad38bdf39ef38997314d525bd8439c9976a154

SHA512
7f915521f22853aed2513608d08dd032892d10432348db27eaeb5923a8b54d1deefc406bd94ecbcc618145cbc72cd915d322e36138eeed1120aab480ceaadb43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
274KB

MD5
c9e2819c85b7f33ebf797461eeee34d6

SHA1
cd3e8d9ea9c91b0c0a73a8ce02c5eaa9be9704ee

SHA256
b5ee127b07579f4cf82930d2b9bfc7e4839d5e381d9e5f4ea37a7dd65f932dbe

SHA512
a88d8fd8326e8431101bef3ce3031048e148b80fa80c89a8338e2a70b75059012d269f9e60624276e31ea055d896b26fdb65037b0f9ddb03977fc0423e877bc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
254KB

MD5
58205842b786d4fd9192663dde7e071e

SHA1
35d46a0be669c355d6c666dcc9d77b1e1e22471a

SHA256
a417941f43bcbf9eb95556de1bba8d35fa682c9d3a51d40269e76516c6327d0b

SHA512
c15155731e8bd3264b36249b3b1fbc56ec6f07e2b8e816b13279f56cbe9251930af1efd615f64758d0e689af9c9781f7ca60dfcccb389726404caa0c6dea9553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57cb10.TMP
Filesize
88KB

MD5
5b2f39d4b13bdbf7966f2fb937413f73

SHA1
05087a05ae9b8c61a3a195493b72dfb0868ecf8d

SHA256
f612baa18c0b01848b3ecdc2280afd1b065665f1aee01066525c037f4ea64664

SHA512
43f3d55e9ce7b8c0aad63616452b06820ded2dedf1e8e1bea4039fbb267f22678b185d6eb6b018039a2ec7eb741ccd76f1c2f25b2b06858b05431cb05e3c2627

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
49a41d4127db3dcfa2678762566aa0c0

SHA1
3eca92819edde3bed897ee37bfd2a41894fb3a91

SHA256
55970289d0f3ff76c8fa6c4bbbc431f2a8665b20268a9a04b1756eacbd896c9b

SHA512
c4b53a1d12d06b7b976fd309c4ffb28165994944275ffd42e31cdbf956fe17df6594f660c140a46e2bd59e19befbb217ec721255645890d5b1d04b70a0ca5d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
29bddfb74571b320863f341315b7518e

SHA1
ed9095af6b4ea3292156a16b9a22feaeb9743d0e

SHA256
230046a79b599ec4f3478d2f3753d75f10edf5fa784393d8e56eac6687d44482

SHA512
05a54c45e10541edb5949745079b097aff4c660df57329a61cf38f2379caa600b82e4700ffd3d8366e09cf6381ec6925c5b2741f2baade64f7508f01f3640847

Download Submit
C:\Users\Admin\AppData\Roaming\b1d8d6912b574d51.bin
Filesize
12KB

MD5
7667903c283a136a15c8926d139dc2f8

SHA1
620c8fff6a3934385bd0955e8e2b817b68323de4

SHA256
da49803b1f199f0a375331cfe2e5f619a5f06f28d708484bd22f2e18b056f555

SHA512
a29495d9ee721e012d6d454940197b2aee1731315bda459474e0461d828b722568ae214ad76979c7c854e07bdb7ecd3ae08089f084867f303aea08359deee439

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
88773d67dae998e5ca2cc5bf25915889

SHA1
864f886a0a3ad8cc8d78047c2e38b91a82054f22

SHA256
d446cf6e99995c375f3b3bd58f28c6961fe1197abb6c7914dffc8ea9883a5a4e

SHA512
786118c978e360ef7691f648bba4285fc2588da5e2bb40b8bc83a9fc870d57b4503ce79dd55907ee3dc2f09bf62ad1fa11a3a588a024d7e5bf0ae84afe73c825

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
eb50778ef24e9f0037849f3d31f310b0

SHA1
a203117f1570dbbe5310b0caf7895f534c0e6c5c

SHA256
dfe8bf79477cb2be42be809ad3df3a6277891a1fe2adb7bad3a993f9a821c855

SHA512
89ead96bf1a4c59b3e5f777b1f6afee77705b2a2f4fa344ab21de2cd0e44bbde1e335bff42999d958daffb25c7769b6bd7d90b710ac98c93968d042e0fe04c37

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
38e88cd213aad528ba3e89272c869ad7

SHA1
36f53f9df4a18c0f50f5b3b01156a30facb58368

SHA256
b19fada8daf207d98cb484b4eb2e07c423f1af3370ec9fcbf268e720bb4492c9

SHA512
5a68adec6cb5738da46c735090556039b598fe8b93da7137f499962f2f62206199d6bbc60eb5eca3ad1decff000ce005025f0b4026e05e6cadce0df9c1a513ea

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
98755a1436690509d5987e0e4f3ac16e

SHA1
9b9997df13bfd70efe40562e01d178f2ae69e5f5

SHA256
f765e108e3102277aa9f22f8c4818f6f7a5bcb531ae4934f47570eecbf6d2cd9

SHA512
e86845c7d125a50943eec10858db63790b07502bc67353a014c64b04df3f63126a6eae6b3b2c0931401c672741a7c8f5f795e6376b0d296c681c087ef1610bf1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
bc0021b3b92b46476e06419dcdfa2c62

SHA1
89fdd78e498004aa9646de9cfb188a9d586a708e

SHA256
45498d01d4d03826d399126d5e002286ed301b3b4d970927ffb481e4d3cd5ddd

SHA512
0188e977b586750bc21b283c255d53fe430682d49f74216644216a95228a32e0f9ea4e9053a67a9649a4f087cfded67fa23d6934392a69d969923334749ceedf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
578262874dd34778acf9c165603f1f9e

SHA1
c477fbafc8650178b9037d65a0045f1fd674edff

SHA256
9df53c85a9bfaa9d9961dcdcf1d1a9a62205a5703941367f2949ce00a805714b

SHA512
2a4e6f73638c8c74d711faea9b85031b7761dbcb905bf93e88e8b3ee6b9370aff177179c86d897befa2f378b589be0866fea0812650714106728a153ceea6228

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
519cc485b460397167caa620b710fe80

SHA1
3a3b12534bfc4323cc1468c96703e5e7de0a610c

SHA256
156073ec13375b20466cd53aa016d231f874d4f594e11f84313a091a388510cb

SHA512
cb975bb62b65cfc641193893d7d003a96d58fa3497487d13778ef248d84aa51631dc3fcb3f8ac9d088a87afb335a68502ba5ff1449d575ee5b20a94b5ce47fe4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4d710672a025096c72de5666c6478f77

SHA1
ca979a7f737295125292d2f17add7acf338030ab

SHA256
c7d2a615d9348027bcf84ac0b9d911ccff342d1e1cc1ed74a792d2f60b65cc3a

SHA512
11187459dafb862f487e0c911904dba2d8329beb8a66f1155a9aef2d049d0c005d063ec9527f98bec6737afcd03559fa35ce14ea01bcce8896ca6b6f492c98c1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7c0509a3b1375d92b47b60700361de7c

SHA1
e291a4148b02b00242d87ec78e91e27a43a097de

SHA256
fb4e451969230d390002024455c5cd907fe5f2ea945379f548ff3b8bb0b509c9

SHA512
6b4e5c1315187d947ba759ace5b66ebfce0f1e7acba9b512b6654fea8211287323ef3726cf704d733f6e2c43dd80de76fab5493ea60889bb4ca9671ad48f01b1

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a82fabb3a8711d403f30c407a660a78e

SHA1
a9d6682f596db64c9fc1da6f2bd53840e2328757

SHA256
c2eef1b0d3274ad7e90c4243f9d25faae23d186352c68194d29709105e2d157d

SHA512
a4534ae65c1b0813fe8fbc73351dd5956c654325b355259d79be3737aa5b7f73aa3d1151537f31bb17b052d56f77c64b9471dcdd9cb2aadbd0f450959df3b6d0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
93485290f154bb91fe66b1093fc7ec35

SHA1
b674e2d7061770c00885b89f48ce4c6ecdfb9418

SHA256
317cd9d22c061cc55e32ee443412f2066080a062da9d949dafdfa41d1405e026

SHA512
3c984ef330938d8d76dcf27d7081fc561f2c84b28adb0c6edc40892c085af5db980037eb467a91f52d6177b141e28c5f3559cb539b4bfcc6b8e483db464fad32

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
08e6b0777889fe12d07ae61cf7387d25

SHA1
7af602fca7a154df1259d12e9b872895254d1d2c

SHA256
167e3f31b55b48d03578a25231d156442db6c7f550f7f93d5c7b4f07b888e77c

SHA512
5ad14576a78c4db5180d2464634ce34aa08cf6233b735f56c2c476ad3be6c0be5cc7539e69466db250900b7c337d42cbb31a02b274dd33ba9d656b0e8e6662a8

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
bbfa2faae59d36b4c7242b51321fa1f4

SHA1
c0106d602ee3b8718c2edaf09b0463ae27d142ea

SHA256
5f448e1f02394a151ba085a39194b0daca6d401fca636e75203711837244b077

SHA512
8d85a9507c7e249ac354961265311a26155e52291a191b8f92926430a345f5b0794c95ae4988667482add09f1ae98d2b6137f39e26a3a85d57c66923ca9f409f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
463e0c4472534ce6d69173fc1087e096

SHA1
25799ae3a8b67829ffe03356d954e2172fdf122f

SHA256
ca7ba731f912305a3f10a7c7cdee807ae925c48e5b7a4e5e88c2f15364befcba

SHA512
8563228dd3e84295c2fd2d19684e74ee2c9bec25ad95c12db86e262796cfa91f6d084a57e229dec2608f410497eea6d59d658198ca1ea4037c1f01d0a6bac67b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
f2b2fcac639a0953b7062cb4d1d07d9c

SHA1
7b3425e7c4d75043d33674a191a3b490c8e0554e

SHA256
20de8aba838bb001d871991feacddafa91d491f498407ad9cd2f37e196d46f41

SHA512
01330e3ccf2b88b7cb525262edabad90f34f5670d8e63dfb25696b9dca5da80e24bf694411f9a047e70607a478d63cb56732a2dbc910d7fa5cde6a13197bbf3f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
70b21b4d8e0c8ebe527eb858e09f88c0

SHA1
a27161fd29251d76981ea06ea4e8e12b4d7140ae

SHA256
8586bc473c34e83af212a09d8412b69babc0cf0e91dc839a1dda223603655088

SHA512
3001681c7af473690e0f641e3549246bde7cf137e4bdacc4df72c183f9db5ae1db220d610cdcb77761ed69d6e185e9db4eb9856a6b412c1db1e8e0a1d43a3894

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ce868a438669e6b5bf083d7a6cd93321

SHA1
e45f70080f685eeb6dbf86a26aaf4703703f8f3c

SHA256
c1cf2a3b3b34496662b93c51c914563fe8cbbd45604c4b8f81654ba791a51c66

SHA512
6ba4d7582d08f71a6c171f939fff5941aee3c2572e8b3123e3d0fb7a0d62595b55960372809f45acfe7da9c1f9b0992bcfb1237cd64833790195398638807dd7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
bc036ce48c73253b74e7ee3460445c23

SHA1
46479f5e1aae588d2324a44c3e3298b31c87bb3c

SHA256
97d873644ee3508cb29b4ed2c162b3e1e7d1f6d735f5643bf7b64e5f372230bf

SHA512
1c1b5b106a8115673c9242ca3fe990a7abfe8822aba5af82371d67b62028182b0350556d43d099fd700f531276fda1af8a4460fdbffd1b286e641a20faf6e0cd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
f79d80f479a3822205d135addb5c7dc4

SHA1
869ae6a371ee61966612a9d16226c01c27337a34

SHA256
28348d897405da1d594f8a5a03ce4feca8c35d4fc01d55667e9de19d8563f1fa

SHA512
dd368d36b8ef9ccf4aff8022e2130dae0be94c8c5756103708315de5629d67aae0f88e09678c555d253a91fc2dddf4e5a7edc720b94a264bcf92158807db982f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
377a7646b8af4c9ee65c28a599773965

SHA1
367eff46436cac9331159e09978e410da0ea92da

SHA256
8cf8e92e9e44777a8feaee1f7c5aa5ba06389c1f467aa13845bfbbbdf28d28af

SHA512
53d31fa5ac13376fae9d8ed112d89ce871443d9648e0cdb895ac3b7ce9a2bc92988abc6e846cfcff4b459106ed89052f5da2301f5edbd59726854f8996c88dd2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
ed411738c02e9a09986542084e3c17fc

SHA1
43e7aedbe33741a8a31bc42931d5e838b96994d5

SHA256
92a3209d380ac680badc196241df3285b4028a2bcd52ba72bbbae4f5c9fbb248

SHA512
be7d1544efc423b54205d9b9833904b124eea0edd17e18d6d795c9b2d18e259b6d01165d65d86aeae482c099ff9103c565a9fa423b940149fad1539b0ce7e0c6

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
ef401c7f03f3359bca856ddb341cc285

SHA1
1a15e12d23f36a5a1db9a629e292af939507c7e7

SHA256
fd2b8fb748d89cc31cbbf64d89b3d424a8eeb90fc4a2546817d85eece242e446

SHA512
099bd829c0e71f27b2dbb0cc4ed66a0128398a0ddc8cad8e16a8b117fe72b1c37fadcdc7e58e941307773f6d912f6d8dddd2fae462dfd8eeca580ad03837c155

Download Submit
\??\pipe\crashpad_3512_KCZMKGCAJZCEEXAF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/804-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/808-391-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/808-399-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/872-205-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/872-197-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/872-292-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/872-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1036-258-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1036-170-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1036-161-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1036-250-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-19-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1176-123-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1176-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1176-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1448-107-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1448-113-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1448-89-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1448-82-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1448-95-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1812-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1812-7-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/1812-0-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/1812-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1812-29-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3008-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3008-157-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3008-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3064-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3064-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3064-128-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3064-32-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3348-147-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3348-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3348-44-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3348-51-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4012-241-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4012-252-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4012-318-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4088-145-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4088-138-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4088-144-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-127-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4088-131-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4368-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4368-227-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4368-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4652-176-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4652-263-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4652-185-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4672-97-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4672-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4672-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4672-57-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4672-65-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4836-122-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5136-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5136-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5136-265-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5144-360-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5144-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5196-364-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5196-373-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5348-280-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5348-363-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5348-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5548-293-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5548-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5548-376-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5572-378-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5572-386-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5748-299-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5748-315-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/5748-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5748-308-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/6012-331-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/6012-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download