ed008dd54add94d309243399ce0d2ebceedb39c0efda1a908c21b99408e7ed9d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
Size

4.6MB
MD5

28373aab37411f556e55106c7045965d
SHA1

33b27c11950b705266a67ec2b7a161a4fa560655
SHA256

ed008dd54add94d309243399ce0d2ebceedb39c0efda1a908c21b99408e7ed9d
SHA512

5e7c21a76decc5a97e8a9f12b3ee4db657f902274f60b7984f2eb3a5384bc37a0b2d90b3dcf1103bd797a6cf218102dc02db3b7aae74050e837a8ff3f4a44b1d
SSDEEP

49152:lRUe99+g7C1zqHd+RlxvzPEW9Bzj3TvIIoQDk4qi4A2uVoj0I1v5ghsw7Ozx+olM:cp/z8wBzjzxUzk6xkZzWnD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4580	alg.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
3740	fxssvc.exe
5036	elevation_service.exe
3648	elevation_service.exe
3600	maintenanceservice.exe
4112	msdtc.exe
4164	OSE.EXE
624	PerceptionSimulationService.exe
4100	perfhost.exe
3924	locator.exe
2440	SensorDataService.exe
1320	snmptrap.exe
3524	spectrum.exe
2292	ssh-agent.exe
1168	TieringEngineService.exe
2816	AgentService.exe
3832	vds.exe
456	vssvc.exe
3580	wbengine.exe
3760	WmiApSrv.exe
2624	SearchIndexer.exe
5872	chrmstp.exe
5980	chrmstp.exe
6096	chrmstp.exe
5236	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

Processes:

alg.exechrome.exemsdtc.exe2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\42ec37dd85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exechrmstp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587303418580374"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005785e8def198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000231065dff198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000515772dff198da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eadb7dff198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000785dc8dff198da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbea21dff198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exechrome.exe

pid	process
752	chrome.exe
752	chrome.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe
4256	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

752 chrome.exe
752 chrome.exe
752 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1480	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
Token: SeTakeOwnershipPrivilege	2384	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
Token: SeAuditPrivilege	3740	fxssvc.exe
Token: SeRestorePrivilege	1168	TieringEngineService.exe
Token: SeManageVolumePrivilege	1168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2816	AgentService.exe
Token: SeBackupPrivilege	456	vssvc.exe
Token: SeRestorePrivilege	456	vssvc.exe
Token: SeAuditPrivilege	456	vssvc.exe
Token: SeBackupPrivilege	3580	wbengine.exe
Token: SeRestorePrivilege	3580	wbengine.exe
Token: SeSecurityPrivilege	3580	wbengine.exe
Token: 33	2624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2624	SearchIndexer.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

752 chrome.exe
752 chrome.exe
752 chrome.exe
6096 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exechrome.exe

description	pid	process	target process
PID 1480 wrote to memory of 2384	1480	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
PID 1480 wrote to memory of 2384	1480	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
PID 1480 wrote to memory of 752	1480	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe	chrome.exe
PID 1480 wrote to memory of 752	1480	2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe	chrome.exe
PID 752 wrote to memory of 4480	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4480	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4504	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 1564	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 1564	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe
PID 752 wrote to memory of 4068	752	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-27_28373aab37411f556e55106c7045965d_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.92 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae413cc40,0x7ffae413cc4c,0x7ffae413cc58
3⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1916 /prefetch:2
3⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2424 /prefetch:8
3⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3152 /prefetch:1
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3192 /prefetch:1
3⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4496 /prefetch:1
3⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4764 /prefetch:8
3⤵
PID:5856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5872

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a8,0x2d8,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5980

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6096

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x29c,0x2c8,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5020,i,5269983361563719605,8326533727050898036,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5032 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4680

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5548

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2963a9fdc3e1c3abf43c450d1509acad

SHA1
c2bfe0a51830d7b94c4e1961adc5f833b772ce06

SHA256
d0b98b5013f1f59c97906b6afb408eaf052976fe263c61512140e2cd75d36c7a

SHA512
2d62413421cd871625cae76b03968286ae6cf3f4e582e6010798cc0fe78639ccbdacbc7240fc13fb6978a1850041c6bb738665d21f3714643d861ca0a4ffa28a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
98183952247974f18373b9d80b56ec30

SHA1
26c2772cee18416a69161352773baff17ac9b228

SHA256
e61d9578d78ab84dcdeab0a9f67882ee4cb1bf3eb41aeda3889327b0bba2d08a

SHA512
bc40196aa77e219a86b78eaee4313d4ef7c9bbf1b59a5ba8bb7deefb91e3cf58c42bb208a2bb8f26718065769527c8cca5e2db7d298f22629256f1fd517a985f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
f2747801c5d1c92f0b748724456de5ae

SHA1
ddc69eb27835a101712a4447a251cf3c22407d51

SHA256
d194ed0885f2ed53f9a0417289b6d7a16e3e73864d626156c946af48a9b90fb9

SHA512
e6d288f37c8b4ece228efd1b96c147911001694f513751aaccb06208d3075b7082eae2a7db7d4898ac91db316331f82da1d55fd218a0b2dd782570e7d93d6132

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c2817d86d364da439f7960157500ca59

SHA1
8ea5b0d395bf0ff547130854c1bf59776bad4731

SHA256
de79e192b509c21acfb2c5e7f4ef8c9010956bccc374e16073d3720eca5e21c9

SHA512
8fab788266fe3fec257f73daf3d27d0b901c409fd53a001a510c0aea615f2b10a236167ff2a3c71e16dceb79eb71cf322db583c1b0ef9afa6554cd0211936fbf

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
10d65aefba5d177b5cd6af3d0b9f7389

SHA1
792b7af0c491ef425895a15626c91dd5073e1f13

SHA256
739d4ff082ea0727ee3b9da9367f4cfeab851410fc17a8853d7a7ac213a4cbc6

SHA512
f66bcf99013ee17c929cf305e997da4477d49dd9bf1f2d0676fd34c9d985ec32bb8a61f3df7d8320307b64e420eef7cd730b9b05f3dc6ed61927bf48f4c9da19

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
adfa6133161a7f2e7fd8e6d33278673f

SHA1
5c00ccdc708b873767307e79a291baa270c547d1

SHA256
63e2b94cfd9ce5937bea843bc85c10acb14b778cd4d7dcff5116d67def4866ca

SHA512
80b818d1aa59dc7ba0b462c4984e4405bd89d00e7ac9f6b15527b6e0f41fe199775ddafafcadc765693e7ae46ba7053d8960eec5084cf12a4684ba1a09ea35c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
26bd6530f7cda4fccc6b429c446a8532

SHA1
072cefcf49826314e6eb53cd7dcea7cf9bd73475

SHA256
73c1087b34c2370956093ea1ba7b659db1dbd699f6cced28b65e00a541aa3cb1

SHA512
d87f9392f9872dea3ad8ed117c9ef9405e1a59ab03200328abd9a0c5d8989010c2551c9109f0aabcd1e1da631d1c6ca74abf2002a27d1ed73750edef8c8cfe62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8e851933ba2cd35186497cf9bd20838f

SHA1
d243007731fad82df1706adb27bd13609cc8f1bb

SHA256
14b7cc1e1fcd54e5fd3fcbb01b9350172e8151756a9961d84159df16f0cba762

SHA512
542e5d818e55cf859a05857aad509b20191012fcaf06c69bd93ba6cfc89703cd5a955e7ca01a1a78075cf01933e440164d1e6d64b5360506574c7ff3cf62ddac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
4e9721e5c7fc07100c50c4507f1662c6

SHA1
b2c25c20baa16d345368c8ffd272f6068f8fa449

SHA256
0bb0624a98924c7826e061feaddbce4e49fadf3964972107b9869ba92e7b0444

SHA512
27bff4caa69c20a6683aa142806f575517808ca9080f8bdde9c01be4393f551d969d79657582435d176079d7d605d8212a8a772ec465d610b0b2495b0926f6a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5770b241b0cf676c75e6475df1913a88

SHA1
31f28b353678c7b5fbfb04a21f588d0fbf94dfaa

SHA256
5ca4ac85fe47efa4fc3b3fbbfdef428c029a4aace45165891d6412220be7e806

SHA512
1a43cf96cd89b7d571c09d3648df4bc577887436d426ec18f808af05746ff87493c756706d26d65daff52de86f7a14d5f374943d088545948eeef43344392826

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
384bd9293ca21cf6c32e7a9abdf872d2

SHA1
53d0770dbef3be02e02ca70ec480f6bb641f066f

SHA256
b5e56b757902dfdf0c2207fa1c2b21d35c09d906b13861efb1916bf02fbf9941

SHA512
cf785e9506b28ab46a23f6933f0dfa8f7533551dc590b845e900c18a1e4d4c28161475292823de230a22c2918e49823718fcdd44870b08078eeddb5c8c21c23b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
39c04fb8b64c6e85f9d38725f6bcb5c1

SHA1
f0e37aa5669de0fc30b7d8ef19d2e7c9e8771744

SHA256
b0539f01f293fc9dc26b78bca1a743df1977027c5b84131672aa4e6bf6eb8723

SHA512
e784d899ccc1796122327e5cab05ffc13fb0572ba1638e7ace1a114777334764a90371bd5535964ff398017a7ff868310c21569bf7ace1f57633ed68fd1d4ea3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
c5a2c27a2d089320426df24bc9360423

SHA1
b7b34d43a1db7513f431bf87a373d06783f8abb4

SHA256
d41c96031fdc1673dbec59152397365255478529a1860b028e717351e595cc9a

SHA512
3a61fa623248a278d552f5edf4c57680d753abab743617dc41c9f342d58e862bfe77f6caec0448dff7281342ab0eac5f0fa4970e2cff42c8d341761cf7333b11

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
e5c6af7d6a7d9efe2cd6ce237f217c7a

SHA1
1cbbfd0f46d867e7fcc52da67bfec7fa1156c09a

SHA256
3cbf3052dfdb7e8ed22ce34e1c6cae9a5f2b271950f61c55536151ccf3fd3dae

SHA512
8db0bb0f9e52652b5c783a3bc2ebe4d6cc5d4db596756560c7ea9e4c54b4bdbf0d54dbe39c4650f6687c71d9ef77f4f6ba2c494528361e3fcc816f712ae03116

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
74065e6026611a53e5d2924d172fa73a

SHA1
2f3ae5b2a1a8301eeb66cc2d76148b15d924ef6d

SHA256
08c3ddf2cbd177242db08a37816816921324828817bf423bfb4ab9fdc41dec4a

SHA512
3247bd9e267c5af0a67badf63ab09578f5417bb6137e55c896ce9d141a230733637f1a3f80ec8109f6288f0d6957daef3f606f9821918feef560eb52c6e95f67

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
452df70df1aa6cf127d8fe45e756d41f

SHA1
5492b08c7da0d31a88a27cd9bd266602c6708ced

SHA256
82965330e74bb703d029069ac2c5452ac13ececbf74c6b92931fb3d37921737a

SHA512
fba141617ea4c8bd962cb48a08adf6f0c4deb96d7ad1dca45bf883a6b00ca6fdf3fdcf0e82019a13f3a381d5790b03737815049910f654befec7aac7d4402acb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
8b468ea24bffe7fe6142ca58147679c7

SHA1
7780f188197a6790d87feab5c5dc314c586c7cb9

SHA256
68874014008df9194b40ee4e54cd8c8100234c154ce2868652f9b01997d7fc53

SHA512
b7df7af08af5537c4dcad4bccd01a5ccb1b3b5083d0c2ed59caebbc2411d44c512d4ad8bbec2b3e9f565611206a7673554546f8d49bcc874a4ecb19881ca7ed3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
5b5611b2ba9247e21776662052a5aef6

SHA1
58771a033f8124a507dca144dacd821fc0e8f100

SHA256
099b6603b1a724d25e2ed6511597347428387a975989a0f27d8ba04296a74c84

SHA512
0490e46faa4951eb7c718be986e53dd3ab15846bbc3461be615cd8eb133f98bb60205ab046d0ccf1b8ef2fe5370d3f310ad0d6ea156fda612afc70c7d3c85144

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
40edf91432e781cda5bee22cfeb03b02

SHA1
1662c2168bb57273ddcde68fa33dbea582593092

SHA256
5b12095c14b5da8fa680c97df8b10c3c00ec7624996f22a694528188e6a15eda

SHA512
bbb78e8e4acdf4953663a8a4ea9bfb32b7647b70707b3289262719aaaec9bb7756ce0749198b3ca943add316aae9462c867df13a705d274196b448d3f6122986

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
36481f9c231bda3e2029d14d7780eb9b

SHA1
45f1a9e1f2e5222d47225d7a35b2e85f7e9723fb

SHA256
4f7f83b70537e9ac9a251f2a5c6cda394d6fc75c79c7137f5481b0e8f4ddfcc7

SHA512
121072dafde36256affcad42960d2d06903410e3144ac39a67410b1385af4fecd2894ff0cbffabd361cf98290cd08564a39b37c63342c4a087032cecca4af60f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\58030fc3-95ed-413d-81e2-ba8c5e56b201.tmp
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
e3e2aaec0bd424ac2f8a8ff1745f3484

SHA1
a36485380aee708490ecccdb62ac85057406afa1

SHA256
1df95e63b0fdc9dfd3b60137f26f34b9a29e75965c857e0c1674a0e2da09b09d

SHA512
2b32ed68604865c786e2c55301837f77db38569bc8ebb6a4b38df422a6b5d9f7db112641279da40fb82dea6fce17b151cf3bd2cf44c7a16bff17e841da05cdb8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0699c2b42616149f1af477cb41e91066

SHA1
0ad4b40f0d8b84d7f3258c59bd2f432585f73aa4

SHA256
046053ed97a326122b39955812e007048d5480499724d4e7289cc269538fd9eb

SHA512
448b2aac0d73675a72a455b33191c42df165db14965926ab2c27df0942d3019b19e8e1e232344ee3a90f470780f29d57453d33bcd3b074cb0db18c2dd5f91e28

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
bda96b9a95dde630af4f1e17ac78ed46

SHA1
1e3904515492976e930a5b61708a591f5594f00e

SHA256
0b178b4d44d02184d48128085d7473044f8f297b5ef5031b8433ba8b1f34a6e5

SHA512
b7831831b964b8bbaecf37bd00bab2a4be981be42f128d4d2d80479f9c60de18a296bd780a044017744aade0912f633d49f2499c579338e61c3cb04f7c738de2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
843b62f30266960a686b0733b0a7801f

SHA1
5cf185f2389ce54301f45cd74bbd0b70b371089b

SHA256
ad1f8fd36d67466935e5492dbd499a484d1b6705aa4928bc62e481a2ce9c5b69

SHA512
b0e377ab1500dc6978b3737f52ca7b6fd17102d0d009b7affee24a61fe198f8a2b603f1491b8d9c2b220994738a4bd760e2c9a39ea781f94d338a4c0e53637dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1eba4e95-e15a-4e59-bda1-3f2be0c10146.tmp
Filesize
7KB

MD5
7434b0f297d516a8d5908a6b0184ac17

SHA1
1bbf05a2cc31b8cbea6676e7d7449bde051c4388

SHA256
ab1c37f70c6a41e977a701d6da995e200e570cef1b82f4380eda45d1263954b8

SHA512
97b45e1dfb09b9d5aea892f6fc93339bcc744a01666a53e53c74dfbe0bdb060af09a23ca16ae7b70d22bd4e9a0c8334fed5e7b465a402792581c0a1c513fa44e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
356cb2299701fa874a4d1caf832852e0

SHA1
d83a681185a763d9d7430b3f2986a03f3f07c48b

SHA256
c2a203d9106aaefdfab08a1e61faf0507b8ec320e08d7996ba05ed6a296bc9ba

SHA512
05adf8bfeb04767527b10b1333cbb94c54acaea5311420fe2a390754d1509f78962acc3bddf2794e2e015af5a6bc653faeecb93f3f8653ff6c472bc4429f78b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e20e6700e30535f43c830c722b3396d1

SHA1
4e71eba9574741ad0ada1b408214ce958eec531b

SHA256
f413fd25f9b4ff5f49ec2d36e060d59d805ec147791d08217c3063ce91510494

SHA512
ff858113c524648d5e22e4556010e204c220ef47ca63780a9a7ba4f2b90c3af74e3618a8298b69c506607c7251de614d36680b0e0f6a6e81100d40504f795396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ecc32e0c1005933abcd866d96acbc2ff

SHA1
e366b6b4c916b37ab6f9cc6d383d18509ee819d7

SHA256
38cadb74c61e5f7315cdad13b7d2c17cf9b02cf45bd36f502978874a12086209

SHA512
624a5ff6b689647cdf41d95660cabf51c9e22e6cb1dd0aa2cddda4d3cfd3992172b543054c44f9e45796604f97c2a03e69d0d2cde0495e62c0d0d842706f44b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ce443ac329d8b885ceb5c9567de745a8

SHA1
75b235f7c887e4ec0e73c95ba6ad97bdbbbd967d

SHA256
85c26ef556428e3aa0fc7a3e0008b408daa3ce860b7f525cd712a0d4d10a62ae

SHA512
84b6b9f156af37865011a87b04aa1bd7242871c54d859375dda10c4cd50fa025b828e2d04163da8e5db8c4f02d792f3ad65bb812112b9b8c7fb0705429ae6318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
69b44e29cd4bac91b8f399a0300c0922

SHA1
11f1d812e95fe66035f139883e7d78940dd33717

SHA256
81b27b0b12ae7e0aa0e8dc32df360f2be1f23b8b83a23e2689d618a94cdfb3f9

SHA512
155cbb3e76da2436f543e95d20ef26c25e703248f31b293336b9ce3b865b53c847f1b1c137abd2671bb849044878f0b5b8506a1d0128f6f3a4f3cb473be77170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b6293797a7570051b28e48bb585fcc4b

SHA1
c7d1107f25c88d092a98725f36e5182385213aee

SHA256
66e6056c2b192fa7222d989722eb24640cefd2673124d54aae92c6a5d252cd57

SHA512
f882171e069237ff04d09608b0d7ab2039fa5664e019928a1ff2f99d2ad570cff3e49dec06f9b5d1f2cc79660a42c93dc3509a7d6b9203b2fb36b01ea3acd32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1e3dd2a88c60c2d01638235674aceb7d

SHA1
50b54101846646dd8763818e357b51731e7b0d0c

SHA256
b4c63fcd8f1485361bbbff9598f84bbe6ddaf76d204e0a985bbdf3071e1f3ec4

SHA512
28f4e656cf1827d84b5a47d3df9d28cded4c6e9cb6e810c7fadf4d0bea01dbf5b1de930586ec00f06a8216037acf667637a2df02fe8187c26ad7df0ebfcf1eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
73a9c54aac1c34fe07d9ffcea3aa3b59

SHA1
7f735166a4eba10acf3c9e1d03904e9a8e62d506

SHA256
6ac3cd81241db037a62ca152642acf773d9a861cc785326136fd52bd7998dceb

SHA512
e58f24ef98f1f86afea7e6afa39ca7bcca405f03531cecd1dce244913892251fcf876762aadf802fb38947b3fabaab5d3af7cb6f2a0c4d75a5bfb0e86ae8e579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1a420ae9d20dc02b068a186effc6231c

SHA1
a5383eef8abd7ffcfa3c94d034d182f4a1da0712

SHA256
fb04611225b1b0d9101fa702f6456746da5d185111bcbfd585d4492d9412b254

SHA512
f94775708cabc1f564a908f3d2e3e6254d1de125009ff6659c681fa98a7dfd25800f0d48d247e586a269f2a1666dfab2aca5ef128d89a14460c6a662aacd61a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2039cc783f47e4d294afebaaa421cbf0

SHA1
18952adf249fea8fa9aca200b71d234960de19c0

SHA256
92299b032a66b23afc99a845d7f2eba59ae4ce4db8a8e16b82f3db315ec1b1ec

SHA512
96f1dde3f0006028daeb6bc847e54165276e7cf7362278f7ed25622e549c4bed1179441f198864f71e1f236f573789c755bfdb5dd729137546dc419ba9782117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576d02.TMP
Filesize
1KB

MD5
69f8a9665c8123215c07fdaa0f1bf0c2

SHA1
1b2debf8c91062f49114dd637b86a231b588ec7b

SHA256
86c766084c1d4cc90e2f55d44636498026d07c9c558963f1555f46bd392c794e

SHA512
80f64ab132eacd012ca7ff52c54a8a04687f938360baf50b4d00494e4733d242661abe0ad5bace0a026796fc953faf574be8f7a39202f8800a608eba2045346f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
16f63ce8a598a8d1d16735220b65afe1

SHA1
647e0bea6c23885308148c713520a9466aa359a0

SHA256
d508a510052b023d612090ce4082b6aeed31f1431d7924543cae02fcc780e8ea

SHA512
04f26bcd45c78fc1c265bcd9334bd0491391b49a1bf14d59532cc8b269e5b96f8b52adcec35c16169765a93779511b18487dc6f3365f2e194d92fbb24f888679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
30bf71b7a171155db9c45f3cf54b66b6

SHA1
959869cc9c960eacb1797bcffe9abed31476fb32

SHA256
de75ea7d9edb15fc7eea3a2af73579bdc2d1e67ab4ff3ba93fbb4d62ef130b47

SHA512
e937198713c244dd8d4b25b0d5b9aaec72b390acb4646dd2ac553674e5f3a4d94d96f26c4de8307143e4fe440ad05fd6c95c988b495ccc28a3eff269616a9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
410d8b27ceaa905488fa248a56b02681

SHA1
98fed5f024bb62f12a01fce3cef810a98920f093

SHA256
2682683616c1a031f5301bc74237717b4828914ba4d28b261786ab8415c71f40

SHA512
dd8ee78743a2d3c2cf2ffa444680d0fdfb749c9da4b38680057ef86ab20b9edb760cb8fa6be089bd9687d8172ba7859b1ed45b1c8f3ed5b605ecfc49b75113f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
a44196c37c428f9ec6b2f0fac86274d0

SHA1
319644c6d6413550d15f082bb4c626c87e7ee861

SHA256
c3ba3a91099646cc24c9e6acb105ba3e94bef0425aae35a0a910cdc7b0c85c27

SHA512
ab88afb29f7c878e227e0b4300259b540f01489c2e3184f3746bd098df6a66483d3aa76293f20080d97e347a3059cdc5a5edc7d34505a3d1b413268f9b4ca8bd

Download Submit
C:\Users\Admin\AppData\Roaming\42ec37dd85ca13a2.bin
Filesize
12KB

MD5
8305d51b08938405dbc928ae273784f5

SHA1
59b79643c73a0b9aa1df49afcc125372544329a7

SHA256
1526400c7de5595f746e00f8286597932898cc6835327201e24f35176ff2bd0b

SHA512
1109979835f70dafb653ba2e4272984dd9073d0c3b05a938ac9453c94b82c92dc6ba57f8655a5c76430d3869454c7ab2ae6aa6d8f674bfb59742a7fc8b9e07f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
73d80cde6806820ae2654d4e09f3823a

SHA1
bfb0b92dabb35a07b028d66278f92a43e875baee

SHA256
792dd507477a495bef17cdf574d4c852968e1be439e82dcee9bde9f3bffcc68d

SHA512
3ff3dba6ac641797dbed63d9d0218073d3637b38fab4775a2b79ae6bb7a283a00677d9c172750c945923f07fdfade309b8ed64afa7d62de5ab406556d7c671fb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d5b60edf15f738136e31644b9f2ef28b

SHA1
2a99b7b0cb091237a51e4a73f294ab970873d593

SHA256
1b0f3c309d2c68749b120f88543d48c4c76a8a6ae5fa3923ac4714a1ccea4f0b

SHA512
540dbdb11b0a5fa7e72e20ed919eacdb1e362c8416ff46ffe8870b1ae900736fcf166846d27d9096f7810c71af8033434f0ccbd1cee53d47bca87fd0e81e08b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5ace7383c53eceb7c9c56285a19b2128

SHA1
33b0b47b6eb46bc1c6493332697c625c90226dcd

SHA256
f4d922004744d300729b9a34ebcf75704f9a3e3def573cdc20dc488593c6cbbb

SHA512
c207cc5dc8e8bf3a94dfad9da4bab93eac0974a793dd6b68f653d445f211cf0f59fe51cfa5da4c88aa4b2ffc9b57ae18aec8e605c6bccea7f48f44a612aba3e7

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cb003d438a8354106eaa912f0f06400d

SHA1
caf94bec0e66eb09b53a1ebd6e448cfd7b398aac

SHA256
8051611702e313c607ef4db0755f2cca643aa513963203fefa6441098dc49fa7

SHA512
67576cdc28053d9d1872b8f8050307928ae6817374da311e4cbb8a3538f70cbbaeafeb572e6bd1fbcef4c52c2b331fe579f1ead79842fc748444ce2157c89fef

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
617419bf11c445b46373e89dc2bb7b59

SHA1
744665343c6d38e18856b479b65b3dba4dcbcde3

SHA256
5f8eaa52a1cca47914fdc5dea08e64e7c638ce7554f7f5cfe6cabbe43bccf88a

SHA512
b9d2d1db185f1a377e5c8a8a2c1ea7e92116373c3c88780e65fd22526dc77148c7a8b30b7833429cf0fdbe4b8eb909835c3f921d3951f3483bd593b6fb401835

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
160e7f2234d65499052fd97ee3fa333b

SHA1
af7bb70f30f10f37938800f9e94d3169e0c4118c

SHA256
0475cf0a3c2400452f6763c85a0454e7e82f67e5c58c7f15f696de9b98f39833

SHA512
a3150582fdb073c73503459013aebda97f512a9451c6edf830df651e4976723a8ba0802a27f70dcfd16b051ee3bd87ccd4382b5b1781b7f7c828e1b2eb4705f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
df2f77506f3f93fef38c42df9c512b58

SHA1
5b30fe3fdd910817682956217e5b96e22586b16b

SHA256
d58059e0573a728cb22151cff63650bf69773dc54e543bc952c44fd1c02e7cd1

SHA512
976c035d72ad811c70063150921fe2a3242af146b6aeac3998b7d834247fc561216d69b592814cee27d5bb871d8564d1ecc20933ca3dc5c07db5c55785c63e67

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8dbd32e51fffac1ad69c6ca678e72704

SHA1
a8beddb5d73845fce53bb3f2901ad7e27792175d

SHA256
01a8f136de343fd9fc36f67563e5c780ad344e8a6aacd28754fded520ec4baef

SHA512
f0cb1be5246862934992dbba3aad04f01b4c523fef84672f2425ac6293f3f7ec62852bc7f985c915583fd0c24fc3b29a9822490d92204e68595c1cc55e451c04

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d581f32b85784d0145522a50bdd6a6fd

SHA1
82be93fab1756352e2dbbf41c7b0d47b4865c421

SHA256
0e78ca30685c389e709d6f1a1aaca2559cc72daf9a98dd6eb43e4f86f3b14603

SHA512
169d5be365da62d6b365007383ec6c76d93c00667a69315a475438df0ad699701512faaba5f4e680d478b1959f1ccd709a84fb4bb04f88506f916e46d9844cc2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
44bb1074abc623fa91372b0a6aaed4ee

SHA1
f184e2c4ea414e8a84e06bde63b07b05140c6361

SHA256
d5fe5ec6ad61132652dba2e8724b15307c1814fb70229ba195775ec8aeea1123

SHA512
06713392d3d7da9c60381775d0042ae46d45f46f7b813662546b649e5153db807246655144802141a74629a47054fb22ccf6b9e837cd30eb15fb86165ad3be08

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
cd981f52a3176d9d11129111fc97f507

SHA1
78fea68c5d45b9360b86845ac8ddb913116689a9

SHA256
9dfae39adbd233bc26d485197631970efa9cdfdec0654cd984bf688bf649f2f4

SHA512
8510ce8001acebb3cfede8a04be8c0c59956feffda3adbd108b9903304e65b033bad2d198db38bf04ef81ea543d2f0dee32e8994f5836da65ca53d91c660b6e8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
82ffa07ae692e9f0b7ed79ad92469321

SHA1
c685ce93432e3143d972463519d000bc943cecbf

SHA256
b4f5861b3525eb42a2c22f955ffa8ab210d43900f8e8fce8ca8ed795e2975054

SHA512
d0514d626f057610bb190a4570626557c4b0c0bf20508935d60bac4fc7a5ad56264e1a94f982a215c1c25e318c12fbb6f4225d43553c58d85872284c9b8049ee

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2497438f0bb91aef6691acdae8b56bc9

SHA1
10a48af15cf3c0e472f5101158447761d4179768

SHA256
02901b537cd3f29a5945f7714568f802f724756250faf515b5cde408bd57e2e5

SHA512
39a93c6e047fb7d8c34ffce823152d290795c1ac5fd7ae5625fab4cd5b5696cfb17846d835e29ec88fc9e261d80677dfd515f558c68385b83eee7d069a2372ca

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
789c77964d64bca2b5ffe124ab2e21f9

SHA1
30fbd6633941faf084cd5d87f225eb8754e1b02e

SHA256
191623ec6b41db803f8f7a3f3e38eb0556690e53111e336ffd13951a3269603b

SHA512
e8f10c88be01fa57d128a4d4e749a0574f4b3fcb8e2a9cc6a2c38370609c051fa442696e004ba0240cbc12578ecf5a1aab66c0fe888576abf3f9e3841603f7d1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
d2cd9a02a6f94f21c77296100a1c1476

SHA1
9a4e9ea3dcbc29a91c14152bc8fff582f8e08de8

SHA256
5d08d8ef06cdec76ef2d2a42168b8e65ee5c8dfde61b5638859fdebe297a4bdd

SHA512
3394edda6786ae750c5bddabb26dfbf391fca31c759136defe3ebb12caa0460c2bca12c029a43177634f7542329bf07f86ba4299e4b5a96f2f0bbb5b32b5c7d9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b0979be1cd2c34c715197b2799d493b0

SHA1
ecbaa6137167f798b6fc6c2b73658d8309e6b1d8

SHA256
c29332e6342b3485ceeccc7e776a81590dfc6f313299045ae6da3fe161849b1e

SHA512
b33415c78f0d142128a70b0722fcc0fef004ff167a0fd294eb4a7d95c58b648e13bda13a4bd8197894134255fe7781451f778dda3d286ddb3364d35e75345beb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
6480243e4adbb8454f7d6ac5eb0d9262

SHA1
d001b21c36d1c60a483b38fc62408a69196539bd

SHA256
cfca6d942d4ab74cb1f82b01e5f703825c67779ccb9339c0788f9b5f4f9a8993

SHA512
bc1f13a4408400c7aeb2d17798fa568a44694effc0d4ec300308995e726d8507344f6eee37ccbcd20da95bd08f7d1399d69ee4a507dfbdf278e5f954336e1a8a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5a31f2b780ef3563c88f5b2a56075005

SHA1
abe387f64749f9d442341be1feb7a8f31565525b

SHA256
37cb73d2fe370c9974b9d101307530579f4b966c96947d59cd211fdd060d2249

SHA512
baf9430b4457566786c31a5fd8198adf124212a37ef294f65711c04c7eece50176c1fcf38b9962ffa99c60e213f2c496db125400e70dcd26300cc7f7e2b13963

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
687a42b804794efb747d9128f9ed4c85

SHA1
24668fa408ace9c6d867aaa088cf4831dbe5a1fa

SHA256
ed31847c5b8a09e4d0e245954eddfb11343d0146a8f88b361f1f1104340dc254

SHA512
fff60acf4a601fb6c25e86e319b2ca380bcb8de4e59a8aacc833a41c898fdadac5d4862c86fc651d26bdba4f3f157fc32dda9e1075c6bf605a9212643fbacbee

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d0c6093556ce49271d09b35aa2f8dd2f

SHA1
f03dc7dbe021ee52bedf616098457828349bfd3f

SHA256
41cdb500163dc5fdee2686721678d3ec1ee2512d40f9e52f04d8a8af1d7457bf

SHA512
b88069b4d0f34fe100ef10454962c4cd87c632e441fe2987a911eb585db3bee275a1958bd7eea7d0b6defc62ec2df686a52205bf00e334ec7bbf1605be6c54a4

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
0dd487f1e2284ae074f640572bbb6d86

SHA1
a8218ced23b9a17720c700e8c4a707cb2360cf86

SHA256
2e5f2aa9824fa055ccdfec6b59769eb0a25b5ffb3a2ae01ad40b2a3f93422dc0

SHA512
4a35ca7bd79734097fadc0fec68a50e59ba00eaf1798dd84e631ab2846e62cb7510499dc0eb06bc3933868cfcdfbfdbb87e88f9ad1221ceee5ca90eaa0c10e81

Download Submit
\??\pipe\crashpad_752_IWSSDJXJRYGXNKTW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-309-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1168-320-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1320-314-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1480-38-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1480-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1480-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1480-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2292-319-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2384-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2384-546-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2384-21-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2384-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2440-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2440-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2624-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2816-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3524-317-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3580-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3600-88-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3600-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3648-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3648-657-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3648-307-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3648-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-63-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3740-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3740-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3740-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3760-658-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3760-325-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3832-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3924-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4100-310-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4112-305-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4164-308-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4580-29-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4580-608-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4580-37-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5036-68-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5036-450-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5036-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5036-306-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5100-54-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5100-46-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5100-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5236-559-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5236-737-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5872-581-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5872-523-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5980-535-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5980-727-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6096-548-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6096-570-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download