d9d24a68941b9d4dd50a50eceb1b3f72cc678d3d2dbdcd6c8430eacaf2962034

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
Size

5.5MB
MD5

8c3646284e0e71a39781b547c92bb8f4
SHA1

07dbc15d8bdb89cfc7ddb8f667dd7b19cb58b34a
SHA256

d9d24a68941b9d4dd50a50eceb1b3f72cc678d3d2dbdcd6c8430eacaf2962034
SHA512

7bf5ca3c43ece4051aebbe41bca85527f0c6f482d8a0b0c084793e181f6824fd7f2a815b0fa21496290feaac161dcafd28650e6a57800b16c94d3370a890ec15
SSDEEP

49152:lEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfB:5AI5pAdVJn9tbnR1VgBVmhOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1548	alg.exe
3288	DiagnosticsHub.StandardCollector.Service.exe
2024	elevation_service.exe
368	elevation_service.exe
2668	maintenanceservice.exe
4960	OSE.EXE
3736	chrmstp.exe
888	chrmstp.exe
4744	chrmstp.exe
2040	chrmstp.exe
1992	fxssvc.exe
3948	msdtc.exe
5000	PerceptionSimulationService.exe
2260	perfhost.exe
4672	locator.exe
4784	SensorDataService.exe
4140	snmptrap.exe
4532	spectrum.exe
3128	ssh-agent.exe
3536	TieringEngineService.exe
1684	AgentService.exe
3884	vds.exe
1252	vssvc.exe
772	wbengine.exe
4508	WmiApSrv.exe
5196	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9c42e19dad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dbbc383cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e2e484cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d6c5f83cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aaf48783cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b794d684cf98da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a7ca84cf98da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005881a983cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023875a84cf98da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a59c183cf98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
1408	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	744	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeDebugPrivilege	1548	alg.exe
Token: SeDebugPrivilege	1548	alg.exe
Token: SeDebugPrivilege	1548	alg.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
4744	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1408	744	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe	84
PID 744 wrote to memory of 1408	744	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe	84
PID 744 wrote to memory of 5076	744	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe	86
PID 744 wrote to memory of 5076	744	2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe	86
PID 5076 wrote to memory of 4552	5076	chrome.exe	87
PID 5076 wrote to memory of 4552	5076	chrome.exe	87
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 3872	5076	chrome.exe	93
PID 5076 wrote to memory of 756	5076	chrome.exe	94
PID 5076 wrote to memory of 756	5076	chrome.exe	94
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96
PID 5076 wrote to memory of 4716	5076	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-27_8c3646284e0e71a39781b547c92bb8f4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffabc0cc40,0x7fffabc0cc4c,0x7fffabc0cc58
    3⤵
    PID:4552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:3872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    PID:756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2488 /prefetch:8
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:3452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:4928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4548 /prefetch:1
    3⤵
    PID:1228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3736
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:888
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4744
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4768,i,16293179867785919726,12841002237816458721,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1600 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5196
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3dd97806790e52bc78ec20d234a158e0

SHA1
fc39af9f64a40052144efcf60fdc0118a2d1b5ae

SHA256
4432f5222485970b64e4f6451ff97d03a0a510770e3ddc56d4487ee8705960fd

SHA512
5c234a5b6bbd9f66e8f566eb13a8bf24bdc5cf1b470d0594f13030befd6d4d55dfaea87a2e4120814ae7ad7853e1ffc2fe777770c5e016f36ae17ea689ed2959

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d33c46848d724909b446980baf48d60a

SHA1
1901642ca2c512b46cbf1ddd36de50fce2f239da

SHA256
9b6eff6a42c7d712f2cccff55d839b6c7adf4e0289d53d6f610f575dfc80544e

SHA512
60de17f81ecaad4b52c00534d4c4899c8b044b115f4e5cf743949ab2f479bb61f9bd8b036d49e8601d10b81fce3b84b21202309ebda13666155ec069e6b069d8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b53d44ef36777f1f2572da023b3372b5

SHA1
1d9b02838c70dc67167eb397d984405ff8d53842

SHA256
d4710ed3eca496c74033c962f98573a6e68781d480bcdf27fd894efd733e02c0

SHA512
2fbf886b3cef86a9bafb90ce045924c8a98ca42964731109a19ff0d775522a1b82b10c3cb8a6b522e7f5f5eb910cd2f4aa018edcd0e4b5890048ff06161a900b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2983f810f8987e02bf8672a20cbf1b75

SHA1
35c192d4420049028fc38f8a01e81da7149e15d4

SHA256
b01cfc34838af120552e694da5447fc7099da6d2302638cddcf977060a5a2cdb

SHA512
bec831f342aab6b2fd2e7e03b7ec542649139370ecd5b52eb826d413db1bc60c32d103edddaf67f56c4f8a5179640151315c59fd084109a7242c05eb566c8e9f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d0cf707c1d7ed36b152949a6c258cd2b

SHA1
2407a3ec02e7404d3ffd9fe8a736134421fd0c8f

SHA256
87332418f66e789a22aedf8cc70f864ffbec1ab6bc8e9aaa06cf758bb2232bd0

SHA512
3130095d936b7e983257a07ea46297c7e3fb9a89258a687f3c5bc715210c8fd687df9d0bc69d74549d4d8093cf847ecd0780b5967bacd01c4532b24e4183a96f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
d3af602fcf1bfea926ab71c7baed7024

SHA1
1f704dd3efe960fdddc13612c86f4d4c7bf2bf12

SHA256
4de9c2f67d36e4a334d03309678430a0c89be02fd85ae3590c1664222b6bbe32

SHA512
99fceacbbc5a903043f4646f60ceac74f367395bb0139d1d32dd0c1a908058287b00c6eca399a7a07a60513caaa55ca430a8267bea56a971acb320f931086688

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4ec7e045db0f88c1828bca7f51d205a0

SHA1
05e7d8f18ec66699154ffb4b9c7fe4e5ef791513

SHA256
cf2eda642489a27496f44d79e9b77885bd94d244cffc7426cf218e0dda17f159

SHA512
ff6c915ce7240269cbe55cddd02e0bcdc851312788bb7f81d350ea56cdbd0187120d90c2c7e58af6e13021e66acd27024b2e7416dc20027880eb3ce94a47b64e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6daf4d767e8f2854942bc81f0af6e51f

SHA1
c1fe87a9affdb134a7f70db142ad8e1e633f46dc

SHA256
a10dfd0a8717182230d3b17a79e2fb217d2db0d009c85a0e5d820828b4f6a848

SHA512
eb1bbd7f6c7e43499e989ebb065d65c68af2f7eb0de569fb0ce6e1fac7529bb3f09e915283386961f354378e6e27a5e7987d81dd629913f96920c3c7426c3fcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4e947e760ad0e8a7bac8d6589affb938

SHA1
b87a5b055caf17d173c78e3354743602ab72005b

SHA256
e75577667639b8f4049d97100ab4250d260f290e0b07ea51ec63517f7710f1d0

SHA512
6ab5c3ff064625cc436c283a694fccb8894d6cea9830814558a2def75a9acb17bc8232603cdcd551bf7501bfc63cee7b35c7910abbf6d734e29802392f3c5640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a8a9b9ea04605cbc966ec8f751ee54a9

SHA1
630d30c1edb17b21957dc75e6788953d15acfe85

SHA256
c37d6a53c3a4d11d18bd908865499a9829866a079f8170486c5fa910c8b61dcb

SHA512
d952884291fc8fb63d2a7956e04969a1bf0b417c1ba75f40a16f8a16abcb41312de10125c327ff8923f09b69700db74d26502074410bb696ba7f4d3218377a64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c9343b2b86528a9a2421affdef6b36c8

SHA1
29eb73a6ffa879bb519bde09ce1a236007d4783b

SHA256
9b4c3bc5c1c76da5a597c2d85ff300e848425662ff1db9c11d62070294e16b31

SHA512
b5c384d351966ca5dc4c78573198e64810f09be1d463385773219ffe14e9d00083ba25bf6d6854a2748eec50f4b789be1d8ff6c3856a4b7f9f6ccbb52be03c8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bdaa09d4c4ff1f7805c2cf3b61597ffa

SHA1
982d159268c40bcc7cfd8c3b770340bb93bc26c4

SHA256
9c997656f778b86a2f8123fc8cc786bf90af08567eae0c4245accc30b2ce80e3

SHA512
690da384a2feb45fa3bbf198d32b2f5f7b89b8eabaa153ce89db56466b0ea6d683c6d9c7706b2cd012d2adbc9fc801f00b231a39e3196f647c96a92660e05472

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9c842026a56907bd9801c416daeea839

SHA1
b2d66a0188b5113a982a042be0f9d30926e75c17

SHA256
984083b6c4fc02d21d7b2dd49413ff318fe152b967bc51ddf0d2335640090ecb

SHA512
71648f8c4aeecee7f82857d63dda2d39f096ccb5a6703b6c0c885aee62ac33b4e20dd1978b012b3d17d642cb74d94348ba2440efe0e3351f608b68d4cb986575

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
32431dbb3b289b7ac5ce0ab4fca91d4e

SHA1
59ac69237aa682dc34b32352e647b32bfa5a6d3b

SHA256
16b20e5974962aeda17243665f26dd9e138fc2361fcef16525a77b990e7e6ed5

SHA512
a356abcb4afd4fd3f3d92f863a16ecc078578b5a307cd8ef4f4762e264d21b212a33a75230fc26a6f30dd71a9a0f0010cdc0c09abd4f73b3d3376c7d6d32fd77

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
a9c314c99d70b843d50e840f2c5d57e6

SHA1
6b60cd952225bb01b2d32a555f045bd95cfe45a3

SHA256
20fc971605b00e9f82155583ec063ff6d66667add4a24af1759f5534d4e2637d

SHA512
5e6f3631932d1e5d946d7d29231a22f0db62f1eb9406dbc182bf229ae059ac088a90103cd82e286f8d441dfd4d2ac54973abcdf8753458ecd418f2f03a5723a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
29359df24948058e3209d00765058bc6

SHA1
56b26a9fff12a8cce49a5c09594e3237eb98b664

SHA256
61c15261b6ff487ccc3f20fecb28264e9b6227625c695eebf976ad08fb62d1cc

SHA512
73e1a449c92c1ec243b04d989433f7b1e1955154f72c7dd10d1f5f26925e83ca460943dc657aab48b528a644ff27adb01475c6a9c31698e863d87c4e1c5b4330

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
fab7b92bc941254f9351bf7681ad9506

SHA1
2b78bdd2421befacb86ec5ee948af4533144ee12

SHA256
c4b9724fd79cc295d061f49dfc8cdcaac6e4f70b2a037d633a8ba8cef931b638

SHA512
c887b6bb721397c2d6ed20c02931e87354887abc7bc61b4f0f09719f3e8cbda65f43e5b5761792ef35b495c577b4d55270d87d2acab7213861612c9154a08d84

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
94d7b710a7682880103ad7551e88496d

SHA1
02b0a574c35824f7ae1e75b329bb10c2c97a2565

SHA256
a039ddeb3d2e545bad1aa47d4b1dcca7c44b8125f8869283f5d10031c60f1511

SHA512
7fbdcc6d24c7cb5cb3aed4603cf8f1e966cf54bca96bc963b8854c5b2157f2f6e391dca7573a19f9a596e05198ee38962fb9a2c1fd4813f483d49e86463ce91b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
e63df28020860eccc1578647d349f4ba

SHA1
b6c8b4c8487fd97a6ebed9c7b03cf0969ac49126

SHA256
2302dbaae7041ced5e2e0711c4e4be208831e027bcfdaabca48dc8867a9545a2

SHA512
f86b4dd178ec3387707c3413204f6dd9e8e150c9225a0e2f2051e77dd4cc274444af3d0640ba0a5125e3acd6b6ca8165f239a97c6f52af28ae1ca2b8aa97d79b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
923589b5ce938ab9d9c5e6c8dd1d955a

SHA1
43d1256bb377fe9f2b0edc1bf42e3c485e4fa55f

SHA256
83ec5c8a8dd8148c8315b476d8fffae978ece6a105af68570bd32c1b916a80ac

SHA512
089196d31479ead6723157782935460d295afdb8cca382b9c664ee40dc320f1da9a28c61419bb66ee9f4a2859da1dd0bb89840aa200848a8eed882deefbda5d1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dafd591c-f3e8-4e4d-8ccc-48c6573ec2d7.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e33ed7294f2c7be5e14129e5c05b5eb4

SHA1
855c016da2abb798297e05926f8fdc4b3abe849c

SHA256
fae19c4188444559b99957d4aa5ba6140ae2a5f6296758c6e4ce66b8ddc1828e

SHA512
47ea00972bea9498a85aed8fb882bf290787a07d7cf99be524b67ade58863af15f00fd9947e74bcd6e392dad3fd5f6beaa4aea078d8dd28564f5fb694825a36e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
33af543d76da7477cf042c0286b91874

SHA1
de3512b1112f9766be834d02c51bfe22a1733d17

SHA256
8eb5742dc6497cc287c7f41ce5b067ba113e5f30305625be155d558e00276b59

SHA512
115a864a47216d9b97128c98f09e9b5b45b7828fb7d8139491244fb39b6ea093d310b7b90c74b4baeb891f4eacff8e128e8f38c428ceef6e34e9de0debb1588f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
111960814a2454e09229411e5daf554c

SHA1
5d0a91578de4aebfce755cbb53bcd36395dcfaff

SHA256
cd6ed384b1a45ff6d81d2a9fef74003f5f13c1687b24e1fb133c0c1d9c3b7f86

SHA512
841c40ae2f748a519b2d78984758b0f89f8e7065b153851fdf84bde1d0301e7c8a39137b2a27a943e64f7cfa5e64fcf94f16d7c8a35c511960760a80609b718c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
12e952fb2f6c87ff1c21b66b30838ee3

SHA1
9a215e01f88f2ddfbae85f8674ab79b33c8b8874

SHA256
90069cb1c2987e15701bd75bbf5a05f5f7ebf818d77389815dbbee317884dec6

SHA512
fc15ad284bd32dced55a861f4966953b94755f5e55866e4fe947e778a0720c1ed390f896ddbef208be50e98691fb5003c62046e86303b4c5bf5ec8e535c4b25c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a8dee840a4c3c14b73ee11a57e0c6869

SHA1
197cca56b1aed3d703189a2ca5f11d7463ceeb8b

SHA256
53ebe144f4990e0d2bd595b1e2e6e55652a27e1767f2292f67860f31102b728f

SHA512
4f0dfd08f6d7225d63603a0c776447557fecaa2a0de3b4db0345b194cfe56b11664e798e7f28a38b484e3ef26288fa3d47fd0aa63377f75b4811c4038f62f5dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
404205091c9519e479a938e11828674f

SHA1
ba4424d260140e29ceb0212201be46ef35f9fcff

SHA256
bc3233bfbcc30ebd08495e4722588435d1ef683b87efd0d07aecd4dcaac7f4f3

SHA512
4cc7d63f7ca94cc1be2b709c507c6437a84c2161e10303d21e2be14817e55663bf1dd1caf4acebb69c2fdbd096fba682f39cff92d2e73653053fcb3c03056d1e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
47bdd576cebf6f0448a130abcb4b8809

SHA1
4b25119e4cf54c4b78366b88d3b9322857d4d29d

SHA256
3c6d580d0453c23a9adaa22373b478113b8397d253ffdd7d28ac799150a5bacd

SHA512
2ebdcdc0d07201dc5c860d455e9a46bf299fc8d3bb55cbde5a789319ab9e34b877951cd7276364e1d89ffb84087b877f90111d1e5da2a67b39c24722fae28332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
962b3db79819d18088fa662a4ac39dd5

SHA1
d278d004062369e63f57acd497fac02ee6a89ff9

SHA256
30dc11f651fd26cbd8236e414b934deb72ed6bbe16d681c02428e4b1185eae19

SHA512
13efb580ea6428142ad1ffd1cc5a95bc26ee3bd60bc34e9694b157be6c1965ae19e753d48787bcc0d0ec33354d1ad1b85ea557a12eeebe9b528c62f7e0401012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3d9b9e5d07e805d9f84ac9e1b10a6ab7

SHA1
138bc9c366cd05051fab756dcd5599217ad2568a

SHA256
497a4a308ebf2d63ee0ad45d2528fbdc39604e3ca1c1aa815c92e8a7a5297a55

SHA512
a54e5b20fa05946d0b12b9efe4ca39e54ccf754a6531b5094e75c8d6e773d34701920f19ad754d34d97bf1cda287905535fd7f236f4d9cbfd2c9bee5a683e665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7e4c01306d22dd85996eff16e601d814

SHA1
7db319eb65985a3903a2c93d0d4a9cc25e8101a2

SHA256
d463501080a51fa3f0836a54455f194331276bd0456d761c94aa1b284ef713cd

SHA512
d4d261cfccffcec829110d5def3fec4ba3b3b1997be5436aa73e0247cae467515465d086cac91924df73f6e9aa05aa95560bdb26b14bda63fc571be7dd467c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f1dfe18d9da3d5c21baa55e802bb2d45

SHA1
ee4fd2f87234adc48a9f2f7494e29510ee153a8d

SHA256
f66c245c4da7ad55360fa0b0c1bd981f64eec6cea259a7ff5cfc4ed1cdeac5a4

SHA512
da271b4255cbb4e8699d4594c87c55d4300644afcc6d3ce0242631398d4acf242bea3dc7717e591d35fb3ffae64fb2de5dd58293dd729d94aaa178275e4c4b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e6b8910d7b1d1842460d7d57fa81fee9

SHA1
969896f49fad9c760661f75854e539206ea475ca

SHA256
fa7dfdf8728a2c3b90c8ea76716e7f1e5a16a4000fbe62d80cb5f8ae33e314c2

SHA512
bf9efb6363859ae5fd1602cc196d8e72d66c7a0dbfa0d8bc70b361cb667cbf02c29e1a7123a9dea5ebbc0f8c016cf70636a824ecd4ee3f678cf638fecd589177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
598dce75c131ebfee67dcf6c39359b41

SHA1
143693ef7359e995348c07015d053bb7f5f1a138

SHA256
724a0ebacb189b4a6b24e3eec5f8aa97136e54b86510d8e7210d186e50c5f182

SHA512
26694457ae3b510bd6430ae9d9db2d18eeb2a4b1ccbe69259a91fd221e1529ff41f405f34962b97b884b0d8bbba8d95be5a810cee5fcabe8f33e1054b4f691ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aef7afe09f22f7509bbd727d9afafb14

SHA1
e769a94f34995d50ed9fff567d97220ff1430c00

SHA256
417bfc75b4706f2eaa637a913689d1742a0558cffa0b3a88de2796ce13a5dfbe

SHA512
48d4eb57c8982a271a12e8b849d8b3528608445b304a490c08e0246d10aae16dd5bdaeb289c04229fcca8613f1653a974e35be12a3a74d92f5dd1502948d055d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b1226863282110d4d96a8e728c21ffe2

SHA1
e375b5b5931120e4080064a1ce3d0fa31dacccad

SHA256
af74c1ead066687a396b6670391d21af4902e56f1c0417fd112ab6d906b91c7c

SHA512
c13c602c5a2c39488c1039ccb73517157e984ffcb1e7250b865651bd2a4ea65be645aa81887acd75ca2773918dff29b934f7b1fd8b6a1559bd4f6a33aad50e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b41357a3b2408726fcb77f84f2b5aa83

SHA1
508deaec1e78586ee61a1ff86382b3bd3c75c2f6

SHA256
098ae5417bfebbb5a55932777b5af00aabfaa321eebc5c699cfacfce2f90ac60

SHA512
ab30da6593f3a82e94c9ceb8e12ce880b7fba27671ae7a7cc1e544f93de32be1d2b845b2052b2dc1db41d2fdf5bb516ad913df26a998db69a7cde3dceea66bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
87fba83260e3a953cda4b2fb82239ddd

SHA1
5a632aa7f25ad028ef6f1e0a098c390466dedf01

SHA256
2d47983dc53f1e49086918799e30d59c08e147f0ad3b95aa2a160c3c0d4e5275

SHA512
b94f43658d3f7dae1f0ee76b0ba90cdf3d3c7395cef9b18c9c97a7ff7abd5288082eafb3165b39910389ca30742f447e2450e4598b75b46e5d1b6de8c3d05ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a0e550ca4227e2b0f8be5fc55b1a183c

SHA1
6b5656ca61ed4de6ebd6f6859ca2a2eb87c64c58

SHA256
b47faa3244fe94183fd367e7036cca5efe30301c121e12686480c7c6a3fd0da5

SHA512
3fe013f32649e5c72b3e508520fb100ff7a57f11f992f8314b89311e3b121bca3822dbf98115c937c46e1d64c17029287e2fd3d75aafc6539b307aaee03a95eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5b6061ea92583ad3a446ccc2528c5319

SHA1
af1cbb496920b97ac72b68d14840418c6bf53fdd

SHA256
c9f36b880d809beb73412a653d4d477371de6043c7446db8f5b81fe0942cdfb4

SHA512
a52eb3f554e20effe546471d1995936b36f8658c6b106628e92adfaadd5f96480b29a05cf09eafa52c612ea162a9c40127e9d36b4f379d9d6ac4801467274ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5789b2.TMP

Filesize
1KB

MD5
eb6b4b1b3269954f5eb0b0a72fdba5ad

SHA1
c0029b3cb2e8ee81a51659d48727402d446dcb3b

SHA256
d69603701bd9ae997058a77e4766878806b0609964b1eb8d46d3d980c734ae04

SHA512
7a462f826f2fec896ed9a85b3500677e2e62cbbbba9e4767214cbf8b621c2ce0c1fa391e22f21077911848dc28c8eb5f9eb2706d15318cd338994a78b41b4157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
09de2976a95e4199ffb27d8941c87f24

SHA1
f761a5fe7414e9cfa5e82e039d1750cbbd64eff1

SHA256
b0a2c269e50594d533ebcfeddd7229d14458fdaa7d35d4e43c588f3c18c6eb1c

SHA512
44723cec5cbc7048aa342b002e42b6738012a52879cddcb691dfedbd1198e8dd2e2633482b79dcff777b44306abe573049245486cc06d7f451eef184dc938289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
b3129f4f747404f4caeb0cafe354770c

SHA1
9d699fa1b622fa7d5d09ef60313f95a401448617

SHA256
bd37d54fecd32ef2a14a7cf7883fac170d31760f82b481fc8fca14dbd522b693

SHA512
a2caf40136b0035ed0a49bd61a6bec461ec5b807dd21087198862d15258f3bce88ca88b69aefeadde25f33a51f6ab11c5a356dba38baed7d45a17d0681f70448

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d38b5b3a0c19896af1104bb4521a2e85

SHA1
9ac66ebd1ea5f27ca10866d3c5a9ba8525bf06c5

SHA256
fe37c81e4b1324b88a94e26fc04b32e16c756c8a7c2a14fa3c3308e7356e1d0e

SHA512
8061a9c0ad7bebf8733e7c52ca88726fa407547a4103743803d749062e44b4f7d2082437a97c3451aa3c9f667b94b37f1dc421afe23bd8807d0e2ceeeee8c033

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
39d40b5fb9c91d3682aec0ec7a4d7fc1

SHA1
a9f191540d69bdbf5f2bdd8b018f01aabd726755

SHA256
edff4a74880702a205505cbdeebf02cf839b7e935c75168e3e8b12412a3f1688

SHA512
a6a635d3e668a16e7d5ba5dbfcd4e618f34b59bc334a7fd449e0abc3e8de2c4c7e0d4ae04c3249e1724d7b0b148b187a9316d3ebf615eeac15c0bcb7d0a43b5e

Download Submit
C:\Users\Admin\AppData\Roaming\9c42e19dad45b396.bin

Filesize
12KB

MD5
0ab5770e303378323bc866882e917737

SHA1
8f5ddc41f55348931cb2de2fee7bfd91c9a137f2

SHA256
f6e3ed3021c18d4b0921559f945cc45352b9637d52137708532f17f6c87fbd4b

SHA512
0fafc7acc5b59d5833bcce092f959259532f8c02d61f3af87341ac362c2c0bb5a72188efcdcdf5086797f161410d3a5eaf81de3779759dc656df720d77f165f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
441b2325f777797720d81f91234e8bf7

SHA1
47ef136058c6409093a800f5e7db200050c94eb0

SHA256
c772345cbc6f1a3b0dcfbec818b6d6cfa13c54e97992bf6decab53419e86401f

SHA512
e199ced44b12ebbb95aab9068513d6cd95e9ecc9a04a9f0401c12e0c1c99385c5c4d7f824218b4b6cbd1b24234ee14371077e570742dd74d4d486597d0e88936

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ddf9915341108fb5761de0b05cf2e530

SHA1
39d63a4eed0f2908ac1587bc6d204ded47469bb5

SHA256
013c4bc1bd40167c06f854f430d371358e9f4ee0339d8a2594cbedc58475739c

SHA512
53c0c534055422b89cb598d61a5fd3e71fb4774bf80965ffb79ff2eda0369e8e9f5d874c478c9346673015a7b1ad95c8cac1fc43ef01cf20e1a8f604be5aae86

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
18aff82ba7897f06f0c49d9eced4ffb6

SHA1
74fbf2e2825242017e74433a415a2e466c95fb40

SHA256
0c4628639efc3ede55d00b327254421f152df5772d5dd24da5fee1fc693e27b1

SHA512
0bbf37a1f8fbadde9de5d9ce25436b983dbc1482a9ca31bb2bf4e86f552406a4e7e916c0d8558067ae2b3bc1741cc4504b63b89743cd2fb9bdc01f5626fc951f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5d29568253bfb8dc7dd8122df7c3fc28

SHA1
2455d270459b539eb3efc32160e7ec021f8089ba

SHA256
492e50d6dbe86e71d8c91743ef24a79a495443c513c53e6786b358795b4d9bfe

SHA512
872083b3dbbe281c23bb9473a7d287c9a65cd0866af6aeb98a1cc4f434f88da8fb4eda67df014e57f5d09e5f4a3903b2199240b4bfaa094a650f1792da3728b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5ccb0f56034ce2cde5d95ecc1ca6ae90

SHA1
7185f04fbf0b94a8cebe2b88c1681645167c0cd1

SHA256
39548dbb456340d43956fc5401a0eea7042e250bc431dc83845eb9fcfb3cdf5e

SHA512
d35297629c9bad1f71d744bb4ffdff043d18ada9723cefe43ffbc189ddb0f595c4dff849fed11e01501bfeb904a1f9595bd0ac1c9e5516fe4c9bcb179a71efa8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
038258ce5fdf2a31624f44844f21db40

SHA1
cb3d23c0f61165a29335dc4abf9f2b6e3e28a7b2

SHA256
19fcbb1543d5fbb621f434fd3730b6ac4747f87a5ba39bbc5fc7fc3703eb1c0a

SHA512
ec3f8fd66a2cce04ba84b7f51282c54f9feab1c8fc4c09a4af5a53919655bc33bc6905eb81cd4fd871f97ad6a1de026e4e0a8a30109b1685181bb22e4334042c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
97f86727b0235c05ea52910bfc44d325

SHA1
977ddf379ddf7c1ea63de28b5bb3803c0866aafc

SHA256
f81c664786299b8df25dfe8af640bc6c0dfb36650571790dfa7fa58b20d83024

SHA512
188973b0fa36d7af2758383e882316b086c269112fc1804fa9daa50a10e81e19760d912adcd2e55d8efd032958b0a784b35794063961aa93403ef336e6cfec58

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
980cdda5e4cb3ec484080ee9d459e2a6

SHA1
b176402d8825cbb2e6066371cf31358ef2307395

SHA256
dd6810f6b6a1e50bd0405d3966fb2982e5c309d8f8cdd1e7fc01f9c5042e679f

SHA512
1592fe1917ae8fa1692d3aa87c977fdbedadb69ea730b4390d5b4d9d26d563727eb9d69aa5fe151da312229a80b7c26a2e19a4a520a6304d392f07ce585ea955

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3328b8a40f92091d3fa816d933827477

SHA1
a5caff8b3063f2964501c3f0803025c9f969758d

SHA256
a25b5824d9988f06d1649010e43e316f6554a2e5b5a50347d8610b213d78dd9c

SHA512
8ba9e985fce840ca7bda6ac8987695e008cc4d1f3f25c8f635c98fe3bf295de2b1c793cbbc734f058aa0894bf5ebbe7bd0cf3991b078ad75ba08af5e84ff22a9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
37b21d6b986c990875747eb242bc209d

SHA1
35d83fa13b65b54db8dc89b15c046b53668cc90b

SHA256
f59ed041ddf95c67c9f7e823c5fea5951c8419df252d12d46cb01fc987c1fd2b

SHA512
f66405f6e3a2b348a493c29b4fce9588f6b72866747a821bf9d76da39228e20c8a99a34ea1415f8bae5ec84f597d1a3e897f1fa4857f69233ad432a7fbb06bd8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f668dfad87d7e7cd7fad910a612f8fc7

SHA1
81c3d19c6dade7a93c00c1711e1f6f5b559b7038

SHA256
2409f208cf243cc6103db8988ec79a6037551f60994b9ced28b7524607ac5385

SHA512
33e3cc41af1347d530041b31830bcc9638a8b27492878df716b001abdb3fda55c62508798fcf0858327ec1593c682b74f53334d76a57b74be637c88d07340be2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0a38b05607922bf0e63ee8e5a66a20b9

SHA1
baa275aafa3fbc958584fffcc304e59901d61b0c

SHA256
a6b907790e0c306b5f3e7eea50a52dc5e74bef23676834c9bafead148776f4c0

SHA512
c447bbae3480ed500a11705271e82fbce6f950d5e1ff87756e8d37abf39d33a4591bae88c2eacddcf14437bf3f55a15b7c0e12c6f365f5fc13b89fbb91489d72

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0b6126777e6f687e445ab6e65e470230

SHA1
04aaa07b3947c93043e8b6670e93aa95cc109447

SHA256
600d7089b415edd9232077f1273204a0d58a6d0f94364f2669bd022dfb70f7bc

SHA512
d3601711a9ded31900b908f7defb5995a10385f287c57c0dac55407f8f5eb85319d4300b1cff8efadb76b340880f9de047edc06dbcc55091387dbe3d493e74d9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
1bca24894d2f4a6db2cd8ccc7d542498

SHA1
457970b879ce3cc8e2908598674bcd581f5f17e7

SHA256
70dbf4357c6170230950282a991f4139efa83b359e21d6671167e0403446f2b6

SHA512
80f8b1d599c44caf5b76f3b7ca0eb9eadfe522a59e8b6aea437f3ca8c2f2aef0ad661eec99b131a8fe36bd4a28c4cb1cda9856e0b9938d8412b85efe77b103a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
36870248524f191caa7204e9ddfda872

SHA1
9d0d69ad562d0a1ef9ca99d541430df9ac631ff0

SHA256
7faa71fe8d4a438b7ba7f2abdac203f191557619c67d81b1d8ec8cfc92758423

SHA512
1ff9404bd0e50359b7f9dc471a1c24f96726e0999538516bf5b790554042062d0115909ae344c146c6ad03c890c106c5e96488cfa3a9555e001e5822c0da1c44

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7c3a8a64406b037eccdc042d30b7618

SHA1
c8c0e57eb41a1566fb40a5bbc2b85c7455c09a50

SHA256
cbcf689cda3e20453d4c1ce46e88098f651367b744048ec2b93475bf4b00f410

SHA512
43959468cce86085fc95872e13db5dede0c2f17d9aca23ca566a3e31c2038b6e42bcf96fee71fa5997074600b2dd993fdc7371393e03de7ce0e0d3722166dce8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
09e0c177896b8df0b470928e2162900d

SHA1
eb9453ae77da17b08d1dc4283761de194b8c6a2c

SHA256
beb10b1d2c6730951bd7236b884683e7aea13932a0e60e38a37ddcdcc8e603e4

SHA512
990956e1f9f3d1a153e06637b1cb142961d1e919b9ad62a24e1f291532c3dfcf59cd1550865c100353f5f827b5f11d456f20f6ae3f86c6e5bc2aba603a234de3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5a3f378b8d4847b8e1747e22b1333565

SHA1
ff038280382ac2fb3ca26cff8e2f2b460e43cdb2

SHA256
99d12d356b175d193358f1c8319b605831fe8ac9323fc3b3f2ede17a1593a5e6

SHA512
af92ad69d22d73b3026e0be7fae9d3af7ac1c46de6fd6dd18e904531ed4d1307b77ec374cb3ed5392280c1e8f92c5059da35e2fada55b7e06faad010a7ffe858

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1d07a2a63d2a31193e4dfa6d2cb49db5

SHA1
058fea5792906591451e65b9df9f4698c2fe440a

SHA256
c2b54864fc0b3477ff5c7af2b23aa57c2cce338bb1ec53e61d43d27295778440

SHA512
a8ded2114f7c8ecdf3072fe57ec4642a1040d9fa43629f12d09f9117fc319e27b9bfa32bc8b8bc2f9e9b0e3941577e64c514c171a5b2be3020b5e93046a955cc

Download Submit
memory/368-388-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/368-77-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/368-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/368-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/744-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/744-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/744-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/744-51-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/744-4-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/772-934-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/772-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-313-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/888-401-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/1252-933-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1252-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1408-27-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1408-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1408-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1408-317-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1548-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1548-330-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/1548-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1548-34-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/1684-574-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-562-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1992-443-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-456-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2024-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2024-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2024-61-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2024-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2040-402-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2040-339-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2260-600-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2260-484-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2668-90-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2668-92-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2668-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2668-87-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2668-80-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/3128-919-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/3128-540-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/3288-47-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3288-41-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3288-59-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3536-920-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3536-551-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3736-293-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/3736-363-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/3884-923-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3884-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-458-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/3948-576-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/4140-523-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/4140-707-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/4508-935-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/4508-621-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/4532-528-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4532-894-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4672-502-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4672-612-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4744-318-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4744-352-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4784-913-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-513-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-625-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4960-99-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4960-107-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/4960-389-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/5000-588-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/5000-478-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/5196-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5196-936-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download