7b8953e5a08321ca8853d43c9b21895e2ef620c4fffdf2a8e7fdb957546feb73

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
Size

5.5MB
MD5

d1957d1f455875e136049feb915a5716
SHA1

882d7bec71eeb0ce11d3f212e0347fa48be95bb8
SHA256

7b8953e5a08321ca8853d43c9b21895e2ef620c4fffdf2a8e7fdb957546feb73
SHA512

1707d2b5e3539fd951bcb3076a6d2f6c6eac2fa70d5510505173ce9885f8b1565b6e59ddafb3a066fcb9fc1174a5ec3ea8dc79db4453346c018dc4cdecf4ce5d
SSDEEP

49152:yEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf2:YAI5pAdVJn9tbnR1VgBVm5i6qrZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
5088	alg.exe
1972	DiagnosticsHub.StandardCollector.Service.exe
1524	fxssvc.exe
3808	elevation_service.exe
4408	elevation_service.exe
3340	maintenanceservice.exe
1456	msdtc.exe
1236	OSE.EXE
2268	PerceptionSimulationService.exe
4768	perfhost.exe
1724	locator.exe
2436	SensorDataService.exe
3528	snmptrap.exe
4080	spectrum.exe
2640	ssh-agent.exe
4180	TieringEngineService.exe
4856	AgentService.exe
2472	vds.exe
2520	vssvc.exe
1536	wbengine.exe
5168	WmiApSrv.exe
5260	SearchIndexer.exe
5196	chrmstp.exe
5452	chrmstp.exe
3424	chrmstp.exe
4468	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exealg.exe2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5325cb43c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d65cd46f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d77ff46f8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001917bf46f8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cddbc346f8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036604947f8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2b79d46f8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea18a046f8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a743d47f8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e863ec46f8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exechrome.exe

pid	process
4684	chrome.exe
4684	chrome.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
4684	chrome.exe
4684	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4684 chrome.exe
4684 chrome.exe
4684 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2792	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
Token: SeTakeOwnershipPrivilege	1088	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
Token: SeAuditPrivilege	1524	fxssvc.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeRestorePrivilege	4180	TieringEngineService.exe
Token: SeManageVolumePrivilege	4180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4856	AgentService.exe
Token: SeBackupPrivilege	2520	vssvc.exe
Token: SeRestorePrivilege	2520	vssvc.exe
Token: SeAuditPrivilege	2520	vssvc.exe
Token: SeBackupPrivilege	1536	wbengine.exe
Token: SeRestorePrivilege	1536	wbengine.exe
Token: SeSecurityPrivilege	1536	wbengine.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: 33	5260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5260	SearchIndexer.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4684 chrome.exe
4684 chrome.exe
4684 chrome.exe
3424 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exechrome.exe

description	pid	process	target process
PID 2792 wrote to memory of 1088	2792	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
PID 2792 wrote to memory of 1088	2792	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
PID 2792 wrote to memory of 4684	2792	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe	chrome.exe
PID 2792 wrote to memory of 4684	2792	2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe	chrome.exe
PID 4684 wrote to memory of 408	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 408	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 2224	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3976	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 3976	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe
PID 4684 wrote to memory of 4464	4684	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_d1957d1f455875e136049feb915a5716_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x29c,0x2cc,0x2d0,0x2a0,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80182ab58,0x7ff80182ab68,0x7ff80182ab78
3⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:2
3⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2108 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:1
3⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:1
3⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:1
3⤵
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:6080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5196

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3424

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:8
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 --field-trial-handle=1936,i,2156468865627408565,6327742044645010771,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5088

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6032

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c94f112e60e2e0b48f668f2cc2524c83

SHA1
3e3da6ae8989b06cf848fa91604c293478dc4fe8

SHA256
2b98c0483d214ef2b3b8730cca99915106863b5f3996db423d0a415d21ec79e5

SHA512
5a415b79529a8eb4534cbd7064126fcc4d0d5b5d3aa42e4bf38b3d9cf71fb30708d62fc52ab4dd80e656f1ac50ef5d3ce257062baea5ff5fc39f90c0b541d938

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
8ce31b536d6be41720834b4f4538280b

SHA1
d122b31ad89a381233923912fbe266402275ebb5

SHA256
7b2365b828972ee0052d1b2307c66e7836dd2809817ac162de0ae68ea78ebb77

SHA512
57c39dc49876294648d174ba88a039de945ec671d58c55ed40202141641e6beafff57d7ae45e259f1fb7ebb145e4b3fda73f8a5d9b9db0c20ddfa414488ec0be

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
a9f9a0732c6da1dfb5e5211aaf494b9b

SHA1
cc469a8108935fefd7fbb1eb7b8ead2e89ff5d1f

SHA256
e85ba45f473d33342a97f2c86306e1d1c116da46ee915b7fa507b98e83a888df

SHA512
f7ca414cacc1af5b33b0264665f73e0b8316085f0eac7edf74b281ed7c0da65ee52a5aee774196338cdcac7df9c4a124dd5f5d8325028986f5df45db4f4bd522

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6a6d6b7763c1694e2373f7dfbeafa17c

SHA1
ecb5face483736d7a4243825d036fbdf5edb33b1

SHA256
6d9e0fdbe5f33b4e1babb688c22a1cdf91d7e8ef237acbac7db39c8659735fcc

SHA512
d7e37adb1ec3685e5b6416daabd65fab0b8472f722e4bd342f01d949a6bd3a75bedf22ddee40a403e27db1e789d8d7568902dfe31e2f9093011623d4b248ea96

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a026e518068ecc83910ad5d5903dac1a

SHA1
2062a76b448267f3858aa0a720e4aeaf84422ec6

SHA256
22dfcc39d2c7ab54d5f17cab859acf05fa01e7ff02d82937c5b053443eaeff39

SHA512
cd2b7ea2a767cd6487f9f8f1ab015493cb8cfaea5f75cde413813ec4638677c27a0f4a953b779d6f0c17d28f2a97dbe6c73019899bd3358710965144fcd5d0df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
06fe24eeaad9a7c4f871d4bb5def23f9

SHA1
bd2d7689cdc5475be7a5d85c1de651432f6934d7

SHA256
77fc3ad81dc527c3f6a2c132044023dc051c0d913bdf8c4ef3b806208f5dd5fa

SHA512
9b4e817a50a331d03f3fd92945eaacfc766a3cbb35fbe83fd0ab90ced947a0271d633f2998edb7b67fdac89aed6c0190aab64469fb3708d8e5b8ce96f3f3f549

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
ff928eb0565c16060b04b641530a4577

SHA1
4bd8499a236851b54020d6473475335196c09e05

SHA256
aa8bac8e192c2b85699c4e41308e0b6ee37c9b54178f2166644a9aacee25c30b

SHA512
b1efd67d0da5fac45dccf9949c8686478e1ba62da9dcc46916935993d8edbae156fa1156364f41ff852180003660fe1a45b02c8110982641be14a2d8cdbd796e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a3d51e5745b15866d1a52f2aba1d2f27

SHA1
25929fcbbe22b564af1ac66f67e81755e13f9511

SHA256
9f4f5637681807913c00f7d2ac0a7fb610ba4cec4780eec42d033f321224bb57

SHA512
66d0667012d57ed6718758ce1c0fa2c77673186e237d274445c3ccef12a9b0381ddc5517806c73ed547fb4944a9b24fe54e10929e9db5b236fff6354b562c359

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
24d236ac14463ea91ed6ada6d4a945e6

SHA1
3389ab8a4d7a92e9df30845e7065466cd92b79d7

SHA256
3feb34726d7040e0cdefcc80ee9cff2d620df67b229a128d343eef26f8ba1fd2

SHA512
8c3e1241fc5f67bfb3244f63f90ce9de75b068cec2065deb94bb22ff60e45abf3f1c313d3ba360da1e8fde53574c53db0098a7c03b0751dd019aa0f22099d173

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9acdb242567ed5d4d2b82c16be62b8f3

SHA1
8720d2333132053f9b75268e485535095d4f0234

SHA256
0136582722986dfb48e8727a022ef0059691ad4ca95d5180629fbc42f64f4389

SHA512
86b957896d93eedba082d645463a58e78f9ed804083a5bd33f620626a4707736b45a0816545910306ed38c6d29a1cb0f0115fce4c6163af295bca5699c842799

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
8f80b8d5874d06fb4d09f914695d243d

SHA1
f70ffeca890b299c2acde8b039d1259752b5f143

SHA256
10817ed86fb9ca8efe075545191e36bff1d446e4d40e6e841d17f2bd66c33479

SHA512
45b9f4377709df7a6a446980b0d51d57a423e62e8d3d1bb1e1163683b40df85229f0a66d73151c01a9b6dcc08a4687209e2403aaf20acb80dcd97a729985bb15

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
fa8599ee3902ceb25a3ca89d1c8c126d

SHA1
9157b2b3baaafd3ca47c3e43f73e901a662bf784

SHA256
c1462c4d5334e5cd87b8e846a06970965ebb395bde181f97d6d2783cc9d513d0

SHA512
c37f9a1e12e270527daef4aaa974c00e7d05c92ad9a8f361d46ae9dae35ac976c4180d5ef6b339d586742253d1fdcc93cd4d54c9cc87d092910169b5e06e8eb1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5ce1c060e06eb7271329d8253ad7caff

SHA1
e6c0804d1bdb3ca645df82ab465ea996a8af8fb0

SHA256
730e3c3898f998e76158f8d6d2abe956b2192dd607cc932ff6f5c953a772f687

SHA512
813a295172931655edd6c7629cf026c7ed1c0069353bb33b22543bc31c69de941b4cb6711bf95157349c0699dac558fa8dd831dde58bf2da1761fae5f174db5c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\5d9cd041-3a58-4cc4-a4a8-2ac7cb990596.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c9f6f845fbf4bd404f890d24dec68782

SHA1
30a428f10da62fac065db5bab32c2c797b2052de

SHA256
36ca98871d84eca1acd186fc387fe970de7ad20357f6fc126724990731ab895b

SHA512
90b13f93bcd62315dda3c7f898416e07ed1d87691264032f7c3401be4e392ca590bf7fa5d72ac8dffed5d9d9817b87e828a71cffab48175be69f282a012b5ae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a66948a310aaa6e3a46b8516e95c1a8b

SHA1
9c7506bbb9d5f7e8515b12d19520a9ba79815a15

SHA256
f5b9baa7f1fa5b34169f84089c370ee31ca6ba9d50bc753c8062470ec2fa57ee

SHA512
8e0695bb626807c8791f5a55eebbee0e8588cf4f7b1846e4d24c0933b9564f4dcd3e2a8ac0345f608efac6be2cad83ec60192e6b104d1f5c6016af19c0fa8cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6934d517cf224dc6b48f712dc065032a

SHA1
fd920d14e9c589635b8b1fd95e25daf2eb67ff72

SHA256
45a3320d2e664a8cb2a8a5b559646357ff8275a3c29856f997ee98716a0737ce

SHA512
0c46c083793954142bb2fefa4e3762de5c653103f3337c77c5ba1d9d3a6a36e15df81941c4c4f3a92f654d1bf20e9062a0b5ba33627e86c5af9e1b2d39df447d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
00eb96c65abb25f89a7a9ce7f703d5f3

SHA1
250f8a316e6d4b08b28d602894c7288fb111cdb7

SHA256
6faf41ff30f1d3e6999eaf255c899ef9485688fa1a9436dadf978e5fade5ae4a

SHA512
1ab6e647152de81cd9c4041e71fc31053770ec443947ba4bb1772e68d57dcaaf35b93ce776402160309d4a68cebe462f782cd2d7b8db72967a26506526d942ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579c40.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7c4015e18be91e4778f0d9881206125d

SHA1
ea3f711e09a3ab0c84971fccf1acbca41ae5816b

SHA256
07f357c3a7f79eda9a11ff358f8830abac46ea738a2b8279eb21dece2f224fd8

SHA512
8ed418e1d2b552daf8df2a2c7e38b13a978ff0d3556a89ad73d56fa0664e398ac059113e8003581873437813a941b352dba9ab89c26483e3fee0a74c16a7859e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
c2a5eeaf8f95424bcc878ec725b0bb25

SHA1
625600a041690a99d32d118d4d463fd5606f38f1

SHA256
3b75c05791c156292b93c495236e6cb43f536772b1b0e7723edf25130a25b2ff

SHA512
11ce3c0dee3856892598bb34be07d555ba24ef41946c458fafbe921e639cfd44df4c728d302ec5843c056ce2e04385a0f1f0b93223d9b6a0229238cad6d33e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
714f7bb98c37895d90f8b10878a1df7b

SHA1
6f1a3c65c525e05c4ce7b1b41eba273fabc7a2a7

SHA256
a315d31f613f78f0e1f0fa79d3216dfa20f62aeb35351dbb9be7ff6cb6a199eb

SHA512
27d4389d906e7b3f005c2e08784415b0abbab0b5fedb137fa8c966196f9dd31f57309b5f6793b543bd274c8ca7787e23ab2a2e5d6536924150c7bc574ab54bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
16266d1f887586a0564237142132bd50

SHA1
8b94d96f84706e1b6fc84e77f92f531ddb7f9739

SHA256
8cd16098b7592e39e1cabd90045dc88a2f64b0b9e0f8a28754100091af487c8b

SHA512
056bb2fc0d3aee744c2b90b97eb116a097c487f7a157f2d4a5da387210c51db6bfdfcce4b6a25baf9513fd50359ab19dc20488d072453fd48603c69a9557e5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
a95d2b1635c8b41ba60d4bae0aa0f788

SHA1
fcefe4b97fb81dfe6122783a7648aa514c13885c

SHA256
b0adb83e39bf2350c7c7c73f36c52e6e55747f8c28b24f86ac11ea1ee29c784a

SHA512
cf9258d444427b24f824c6f00fb42b5a281e9f24f2f184bb8db2507d75813352af6a8ad45ac8352786215dc141607d9fed4de0a0aa7086530e6cc32bdc9476cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
525feee50bc349ee1cd9044266cbc5fd

SHA1
2709e2cfcd90feb0d7a07c0219cd9df805ba6f0c

SHA256
be630536609eba44e2dfc0f04e55ab0116235836c3d278365fb15feea4bd9f18

SHA512
dac2f1294f35065dcd773cacc5308a1d301982daf1b4570dbe80490c97fdbf35ad6094b729250bc48f8606e36b1ec550f229ccdc0fdc859aa89ed2768a6cacec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581102.TMP
Filesize
88KB

MD5
0a59aeea3bf44f86302d8e5fbc7507c9

SHA1
e1a88bb641a1b62e033f8a3c64c9c3b317fef560

SHA256
f0d287c54dc3e3d9263a60b9375c4988acef83b03edc30b44fa22d2a11c6449a

SHA512
852e1f6c3aa608e980d6bf9380e942b9093c65647892220779b4c4b13fe8c412be2beab64302cc2866659bad45dc7bc3bdb98ddc813dd516546ee10dcbc2a2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
b58795a7ac4a73ee3a3e36b64f7ee6ea

SHA1
503b95fe692801a53546984ddd95465350f1aa9a

SHA256
3b437785e09076d3ee991e67c8d2f3e9106c67e0317b00f5d1fc91b482a594e8

SHA512
676b850a1a798d850bfe6147f11373618ab2c57ab53f8df293d8e50c50d0a3d70963e373b381ffee38b032d4cd9da48e3a23a387ed78097a821b72a157d557a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
772e61f1cdcd594f638f3a291f88ebd1

SHA1
de380f31744f00742d9dd59c25a786a59ac2e29c

SHA256
ec9a75ff61e5dd0b65f1ba1af43e03e301823ced1dd233454a77e2afa09d3b07

SHA512
209d5ffa824e81e629e5c0eb085cc271a31ffc386960580d9c2a87c2c0a68d23cd9efcdc7ff296f50a7f6babed08a8038c3b791508091dbbb3196c4ab73bd39c

Download Submit
C:\Users\Admin\AppData\Roaming\5325cb43c8648821.bin
Filesize
12KB

MD5
b59f32d9b26eabffe1d8ddcb274821a1

SHA1
19168c035c40cdf28f0d7db580dacec8a4e5dd5c

SHA256
7c249833cb41f827bef1bf5d85465b0fd5cc60d2682ac6b764ebb1d4b13bf4de

SHA512
421c0357eb637090e8087355df628a7e6693541d4cde92fce005eaaa8821bdcfb37c43905b1c4c76dab229c8e3899b8909a3248a33040da153732936d4a0f8f4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
7baf0c7774147fb01e16c1babc55f557

SHA1
927d54985b9a5743fb3fe15404161e585423f022

SHA256
d19ce070cf45e81831b322d201a72ad564354dbd9f80fb6a7f6c4cb7ebc4f3e7

SHA512
e01aba72f76293599e8715aef6f909555a8c68242a9422dd2eb853cc2eb8b15f277ea3688d78ecc0346f376ca7a822d679b2522890834f81f9354e041e083272

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e34019bf4de286f0afce6a501cb46292

SHA1
62bbc1fb02be00f4cae6c4e6b70d9fa9ed7f3c5e

SHA256
dee887cf22ecfc5c98b92e6dcb078eef9aa70e7e1ff35c7c3cae86ecde54eff6

SHA512
0e9e4166609df2f3d7aa6ce3fcaf1b3ae82301b479f5cf142d2a02248b6bfcb224d435120fb8f7f105ca82dbdab121f94719cd9185740634900d8d31c2806a0a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
d578f693f87dd6721ed9727cf874f92e

SHA1
82ba88e6d3d3b8cce083129e2b202002f72ae826

SHA256
ca0423b6eb24de4af35b2bcca0498359689949a94cc0ff97e86a58a4bad342e6

SHA512
3cb0dd53b242ae3d28c0f60c90b7d11a46e5986f424284e9ce57662afecd461db1338ae87f44219e36a282be3384e8b6db76777859366375dd7a52a6c89fe621

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e5fb303b5079263213801850ba892110

SHA1
6cbc880342f47d2450162217c2545a80a023dbca

SHA256
9ef616c7c6c3635e6a6bdeaf19f0eb34f313981bcceca2ed0ec1a1686ce252b8

SHA512
266678488344b50d609501b052c5dd3bc995218b0ed35aa1a9ad8a8052915eea900f7bbad378887bd7563a25cd95371fd410889a9beb8f38553021e883958c9c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
a46a34645220df958bce7a80930f4dcf

SHA1
b81a2b93309714558099813c81eaf0a678870315

SHA256
0d3813592748b4912d4693e98a82acd2d649b03930d901609918ffd03f27e7a3

SHA512
b26714493a7d21cd2d91fd5143768faf6137d2c7980078e6d7781d718a416684e45581c51328797a2de5e62e01baff08b89df56e2cb0ba00ab6d9107b86d164d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
dbf93c80d7a4b02f72c1957306cb9640

SHA1
14ce83fad477c10b9705117be8b9369d7fb90fc6

SHA256
267cc2848ba1acad7f2421bd4473de052a7803d834a7fde794a7ccba023630aa

SHA512
40f4603d2fe417de2f768bd2d87a0b76ddda18701f13d5e42d164c14ea828657f079d3c9ec6150ace319cd405e076e513a705cd1878e77262df84d09f5867c38

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
18884577543ae515b91daefe86619937

SHA1
e156a9af7fef16cbcef58d0bba255c683325cde4

SHA256
72a76204e4f9f7000233102d58d0a8a6c13de20c70bacbb96167ba89467e2c2f

SHA512
fc8958de9198471c5d94441e50297c779ddf669c4a9dd1d514ac71e7c1df46451a77892730366815b0dc7bb753fc5406bfe7eccd2aadb70b7d6d5c28c0773968

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
41454ae21ccfbf5908fde48cfcc2a6df

SHA1
48f191c86663764853be9f9492d0b79afd8dd4a9

SHA256
be7e29e1ee08b9838c5bc06b3e445a0e13ecb5000d24cdf14d307216775b77fb

SHA512
f4a68719d1e3f3830a109b6d092344eacbc92eab349b417fd81e0fff09abe5c2a432b1f1d9253bffbf22b9905a9e210efca1ed181c3808cee1f9b496583d617a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
426b75fa987c3b859c5e9a6c57fe2962

SHA1
8a92461e4a7b562b69143da933a10feb2ab7375f

SHA256
bcd9d7ade27a463bb04e839d960eb5dfa55506b53b158b75460e10856dca1dc8

SHA512
5d051c11fb28507482b1a47477cf72f41b1536369bc9377b9e805936c9f56160e706738e93a72207e0cbe888700eca6aece4f8d40ea4012a44ee4417bebf14a9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0e03178666bce7ce4e9360d881350318

SHA1
ca0ae1ef98aa4fdcb55352a24208cae5e3f50730

SHA256
c52b5b6de6f397e08d8bfeb11f79306031c1c3ed43ab155b5060e53cf6e50dfe

SHA512
0c0616692f8c2cac435cd4f56f0587db47c571813887949c334269f7f3452a33d46b81793d586e933959b586e728846a1cec5319a7c59faf4bcc347ab0f40554

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
b3a0689e7ac604353e9b939373442c92

SHA1
50d6033a4e43d5d6aa413e8a7d0a3a15f815d2ae

SHA256
f59cd459508f447ffa1caac477904eb0c0e86460e2d722bfde0a9a705820377d

SHA512
13346f7052ee35e4f4db86268b8eaa655113cafb22d34e714e8ceec0776f628e898625a0c044fd85072614d3851584f7df60e177fc4de735c8749f7f540c285b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
024a9827393b7fe33b60fc88b0ec592f

SHA1
340560c40050c4811397434a40a8f8ac58ca3e84

SHA256
128772f8d997460a14b3e52f43755070d3af216c88557413df999b018433bc2a

SHA512
8ae632bf67d47e32aeb666419ec9dd1098082d2e2ef49889a0c660eb0a2fe218d38dd2eb1c439ba9349aa5020a87cc9d901ceb4bb1440a59d0f833190b136ea2

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
607fec743bbcb089eca0dcc5a879bdfc

SHA1
bd8a9410eca2537df34ee69793c783d86ca646c6

SHA256
e52d9d65896a079649f81f1af8ea9a4e71f23f104de49056b02f115ce3b3373b

SHA512
105cbef05bd6124087c2f8c9659fa0fb61dcc86bc42ac7057a3ed449dab7ebed9b727e864fcfc7e2bfc5f8da582d49f62e844385c27e45acf78876d76b0e420b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
464fb48b111cfbf96830263d00e6e052

SHA1
09164c56e5febe2b92fac3f1e6d6205e0f95c1da

SHA256
fbc966822c714367f51036747882d057d5c298423547bcbb0f3fd29710f14d1a

SHA512
35d14e5f136c60f78aa33320b305ac96f865d4fdbf2d83e6915481ec6136d1299344619f8350f9b19c0f0c197826e5466712fdecd35fa6743cd7adc5f8eaa067

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
94fb620fa874a70399d5c0fc318b557c

SHA1
47407ff4451243ae329acc7502ed8a15ba1085b7

SHA256
2e43fffcce8b6a9709b56d6e434ffe96f5bdafc4d38c06194e33707159f7738f

SHA512
0f7b3599f375a26e2879c46c934290748e35ad5b8f60b79270de41faad127906cf113928d3fab1c1e0340e8b7f8a7252e79f1cef62e8feb64b7e04bcc7f23395

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
155f4db333e8b0d1667e1257d348d793

SHA1
be601ebd70e1190f121107c593875b0e964c656d

SHA256
0a21912939ceb42f8e23b7a958c07aa7bd68bd2939f949c4385e84d4a3516c90

SHA512
68455bbe6d31a970b8c74e9ecaf2338570deddf43fcf562787920e9639d207a054a15586a3b48b00291644944e99859f161d715703cdc5d6faae382a901d227f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
563d0f8f372f47f2f671c150a2dcf748

SHA1
b070d846d417ad4e4602d7d2a88719ec79badedf

SHA256
de5ba92bdcc2a48bfce20ed368922049dca366bfce920a9de9774b275ca522c5

SHA512
742037d98080e76895c1068e1761db583edac4a6e73ebc973c1c4b2c010b65a3fde51fca50e8e96676903256858bbc1acaf5ef09c926595140905139e37cfc4e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e99ff2be0f9664d06a1c4bf0ce9c8ef2

SHA1
ec39478f98133639fef9b3c6a84c6b7814803789

SHA256
7ad98ad271fc1d8b773ee6a4e77279786630999bfbe810a3bb4b097840b1f73e

SHA512
fb7152e002ad743b126234bc18e92014c4099612a6a2be8a08ff3941d5b0eb96a0f28406c3382a31b9f25ba02b7a3ed134ee9ea596c7bc264816418c5f20b3c4

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f9ac8588fbc2af702717812e98bac595

SHA1
f5ff3dcd5e8c29aafb71c4ad5564b1edfdc6a844

SHA256
3572f8e95e21ed5bbe1b2d21cdee0dda6541d046bf0b9a8f540061290b485f2b

SHA512
f5031d4477f3ffa94b3576647a01bc10fb098f5a815a627faf43981d9a66090dfcbfae41536c19fc7ed2562553e572cff563f92d3f79252960354152384f6356

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
d3c64f9c3f828f179fa4263b201a75da

SHA1
1be9ba6e8d4276429b909483b4224bca06d90a37

SHA256
4c8146ba2a444691928d93740f260754746c998879843d8bb28e8c4e62e9147f

SHA512
8cb28e0267daac6f4c05a51cbc7e3ade22aed70d8e239d83e64ebd0e7786e3f7c5f5bd32c8c1241f5e2a53284f88b734cbff0c9d29fdd3f8775bcd519716341b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
a16810f1ebe6d1352245f15b37b5a682

SHA1
579aa4309d89e1a153ae8a75b188ed250f787268

SHA256
0189026d459972e00f473c93ef183de4087f552bf42344c6efa3ed5c8821f21b

SHA512
51c0ffa80337c874585b6f85cfea89bd9c8a54e440770bba013f7c05ab3c42b1e1e6483470a4d565d45e819ac2f4f5f10b3d035980b6b42fbdb8ffe5fdec72f5

Download Submit
\??\pipe\crashpad_4684_JAHCUUEMMMLVPJRT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1088-128-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1088-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1088-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1088-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1236-154-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1456-116-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1524-54-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1524-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1524-60-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1524-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1536-377-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1724-641-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1724-175-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1972-49-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1972-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1972-51-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2268-155-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2436-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2472-375-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2520-376-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2640-368-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2792-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2792-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2792-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2792-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2792-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3340-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3340-88-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3340-98-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3424-618-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3424-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3528-211-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3808-73-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3808-71-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3808-65-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3808-188-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4080-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-756-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4180-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4408-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4408-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4408-532-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4408-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4468-593-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4468-766-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4768-635-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4768-169-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4856-256-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5088-37-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5088-174-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5088-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5088-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5168-379-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5168-759-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5196-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5196-629-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5260-381-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5260-760-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5452-765-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download