933ea56debd89d35a39a6b416f3ad4217bb584f4e93660c9be7d396e7a2d080d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
Size

4.6MB
MD5

0974f1d34033d4a8f8b2c895a8d7b613
SHA1

85a3ef939652c176a3fe949d41436fcfb3d37125
SHA256

933ea56debd89d35a39a6b416f3ad4217bb584f4e93660c9be7d396e7a2d080d
SHA512

e0b6472e48b78e5efee6fe6f1c577cdcc86bbbfca006a503c7d9dd4b6577f59a85c9634f9c0e11ce06557c635f1655cc959823dd26c044c88ab786c014637e1b
SSDEEP

49152:3ndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGO:/2D86iFIIm3Gob5AccD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3300	alg.exe
4116	DiagnosticsHub.StandardCollector.Service.exe
4260	fxssvc.exe
4848	elevation_service.exe
3412	elevation_service.exe
2132	maintenanceservice.exe
4192	msdtc.exe
1476	OSE.EXE
4884	PerceptionSimulationService.exe
3148	perfhost.exe
3684	locator.exe
3180	SensorDataService.exe
1572	snmptrap.exe
4652	spectrum.exe
4604	ssh-agent.exe
3756	TieringEngineService.exe
3524	AgentService.exe
4448	vds.exe
2656	vssvc.exe
2236	wbengine.exe
5000	WmiApSrv.exe
2684	SearchIndexer.exe
5556	chrmstp.exe
5332	chrmstp.exe
5828	chrmstp.exe
5860	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exealg.exe2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c4d7c0e0c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000370eef1fbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d3fc0f2fbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000156b6af2fbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f5757f2fbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056abe9f1fbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d93050f2fbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b0eecf1fbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008a966f1fbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9118ff1fbacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aa927f2fbacda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exechrome.exe

pid	process
904	chrome.exe
904	chrome.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
904	chrome.exe
904	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

904 chrome.exe
904 chrome.exe
904 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4272	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
Token: SeTakeOwnershipPrivilege	3932	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
Token: SeAuditPrivilege	4260	fxssvc.exe
Token: SeRestorePrivilege	3756	TieringEngineService.exe
Token: SeManageVolumePrivilege	3756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3524	AgentService.exe
Token: SeBackupPrivilege	2656	vssvc.exe
Token: SeRestorePrivilege	2656	vssvc.exe
Token: SeAuditPrivilege	2656	vssvc.exe
Token: SeBackupPrivilege	2236	wbengine.exe
Token: SeRestorePrivilege	2236	wbengine.exe
Token: SeSecurityPrivilege	2236	wbengine.exe
Token: 33	2684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

904 chrome.exe
904 chrome.exe
904 chrome.exe
5828 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exechrome.exe

description	pid	process	target process
PID 4272 wrote to memory of 3932	4272	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
PID 4272 wrote to memory of 3932	4272	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
PID 4272 wrote to memory of 904	4272	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe	chrome.exe
PID 4272 wrote to memory of 904	4272	2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe	chrome.exe
PID 904 wrote to memory of 1628	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1628	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 1560	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 5024	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 5024	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4548	904	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_0974f1d34033d4a8f8b2c895a8d7b613_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.208 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99039ab58,0x7ff99039ab68,0x7ff99039ab78
3⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:2
3⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:1
3⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:1
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:1
3⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x7c,0x270,0x294,0x80,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:8
3⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=872 --field-trial-handle=1928,i,2043129779335533403,2979620415028003485,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4192

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4652

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3672

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
03894fae1bcf3461000ca9e8873f6cc8

SHA1
03de746fd87e3bb43271ed9b825856eb4282b5ef

SHA256
b911405600083769062b65b19ddf712d175af22d62759a34ae5f0adc657131d3

SHA512
0e097b779456f24bc73e1954360668ae88199baf8cad83295a9864df7ebbbca9dcec7e95bd51f5a7619bb26f837514eb01ba65123e044556b1267ef61b3ca74f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
05edfe14473809ae76d457ca91465397

SHA1
b5fd1414c9a6499c3514755c01208210092c53e3

SHA256
28a80752768c674155ae41d8a592b15f4609bc3a9453509c5d2e90053c70c51d

SHA512
2c113858f43cc478a869433a8015e82ea682af56d22ed4c8980a4f7cd6c3b0126561d78ce5e802949a59e075212ae3879d433eb30c0dd34afba6dff9ba24cae3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
ff2b0d4c6c5d73a41594cc442d3c594d

SHA1
376e0e12e85ece4f937da2e59ad69fff8125aa1e

SHA256
52ea593b2e8ef0ec81b9e8972926762f1c34386a99db3695ec33a47503ba4c6f

SHA512
fbb0c6a0fad155e71f0744354b705d963c72df1dda4d63a5c81b6b4ef364b188ad37bf3e1b93d080beaed8a512be4e26ebf02367e106d52cabb21d010905ae83

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
75aa8d76b541503ff20d17e95ccdd42c

SHA1
e8a5baec8966ce52605f065a6336e16dd1c40f52

SHA256
b3be64cc418b0b33a40992cf0e18f310839a1118fbe98dd04f3b0912127b5492

SHA512
9e91bb123ba304d59420535fa2a8e28114fedec578bcb482eb08fc7c4d9a9288285d38b925b4caddab1beb2ab0ce10e66b3be4a6a52a3197ef572ff1f710f06c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c20e12920d6715940da9d1d8c7c58755

SHA1
a0c3b705a3565a88696b067a12df4828613f0b93

SHA256
035b4f7180dafe815d1423511eecbf138d61d2b6b1cbe126c6002d2c605d618e

SHA512
2f5445aa07f62395bb9a47772b3e6e3a27b173e0bbb50051d9e9182df131d33de08d0067d4d4237451fbaed23eb2aa80447f75e7aa7fb1647f7bcb922be3754a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
e0db3ac4ca29326fe5e88d27a52f35f4

SHA1
cf4adaf99a69ce14ed1956c278782c7e0e865908

SHA256
610acb02ea12e356b9bd4cd7dcccfc829b5d8b1e828e62197a8a48252d294aa4

SHA512
7074a93d494e8558131cb9ce8f34f7d85c4ecdb85eba03f88365c13f688ede19fcbad18fbf4b7c17d65c68ee6db91dc7e318eed38bd14b7f00aca4c4eff5ae58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
1f7316388ab7872191975075a878bd84

SHA1
a45f536a10958db9d30ec3393389c39b2f2cf2f5

SHA256
652fede5a1e526820d99915a847307cd9b1c07691f3559a32e6584b7453bfeac

SHA512
b56c11c089ed46700eee9f2e2b3a7a544bfc658ac7066b6d2f129641eaebea47d81b0c0a67f49f7b499358a463e4915b002f24ea36fb53d3ec5a229af2db4ac9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
92d9136df3ecde729e7214c9a8342f7e

SHA1
6b4c91a0545ad9c4507128acf28c8085b6a2d998

SHA256
b48a650fc9fbbcbb1b9fa3ae908e91f2940ca497ec830b93212df151c08333d1

SHA512
68e637e2d63e1543136b96ccad25dd7fb6a9ea89c7c8d470690e44b4737ae15141270823d8ad652752e7149e05838273e5ae01dc16be5f7238b43f65a6ae402d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
f6c94388efcf81637b8580c7a2a2c9ce

SHA1
f292487449ec77588e1ee166c95aeee61e6b5074

SHA256
88b6a379fc9f3c181079edb46c536c1d86159593a2963ab9d53b6e094dfaf6e3

SHA512
a128a1c9a2b1bdb7578bcac7c92e992f27dc0a7a6947c1424ed67e826723636b070597413891b260b457eed85a68f2b36be09a337b0dc9e959185e3711b435d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ee33203fdf6309ba8598541782fbea5c

SHA1
247bd35c9873ab2fb2a9fc4f57a7a62ba5454713

SHA256
15af61fee97a7f84d2296c0e6d2452932c8d9dd0f52e1978ca4c583c2fbba964

SHA512
130111d6aac6f1276583ef42d7fc13626851502f5095eba97a9abc9dc30eb9ff7485c3ff0e13aeca9ba5f0f21cb8af6a870d710b984c740a12cc61accc43baa2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d1873aacf515fb34af79f72d6d00ca5c

SHA1
3e79a3d4cceed3f586ebcfe8b74aa728bc9f3e4e

SHA256
bba175a1eb5e882b3598dc222b68276c156ce1dc505db4bfbc29bc818a822682

SHA512
2991da0c91ed2e1628b07a3634e4d7ba54cde827dd9ba979340cb168a987edc8ff1658aec0df1d042458adb016752eb0cd9a8b2bcd2ef87a25284d8a6432e275

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240523102821.pma
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
390bc1ba1afaca0698bf7f39d2d90ca1

SHA1
5d028043a3f77011064e82e25eb851a2bb6a62ba

SHA256
1fc6f5d433784699f07d261a01117f295a15666c0d5abd4a33b1625b0647b051

SHA512
1ca781ab296b5f1023e30e3e164fac1243c8a8341520729ee8a3a89845aae1753b1f51990fefeaf297aff4e6187d0c41bec0a9ab02fd9386ea98a9a5d3b52056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ccd1878100522f1e44a45e653d97a2d9

SHA1
fac6e4ffe6278a54e3d0a83903841ae01f6d3420

SHA256
d8b1b3d7db80ae2a1387021161021a0cf467c23873fe35e75ef6c5ae9c6f089e

SHA512
82d28f3864e02dd0206d286d99275c7ed0a9fcf9bf7ef48d989bfbaa4e50118589667cd6569200dde998cfa1022cbaee71d9a9f39c78d46ec5e279147c0bba4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
57937fc36d6fe806b1080255ed240ba2

SHA1
f81c0271d99629140725ec039b8599e07c8703df

SHA256
8ff4d49c15810653682d4e3ab0e15f0b627ec59d76c5e117ea634e1ac8ea4434

SHA512
38367fd913f2da3fe58564fcf3885aac2186738715a3825e88edc749d3b1d6108de4c09f4100d4ef8e91cd49fce80bcbf3871c5676843f59a810daae34611267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8b7d593246c5e9fee0aae336c1ea2b92

SHA1
94681a9346518a70a4e690a0c0b6bb7052ffe688

SHA256
0e942ff8f863f79ad91beb5c08a0fc968f24267074b26d3122f2b16181d8aa8c

SHA512
70a2858cba6d4914716c0d84a662d367fc9e00d3bfb5af0f2d2dead14ca298924226e8a6f9acbb8b8627a52fbc0f14a01db08994e137d4d630b6acdf8f8d46bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577b4a.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
91458305e38fb98895cb3a4e877b7c90

SHA1
76b0b98c5ca6c7b71a6549fbd8b38d81acfe3586

SHA256
bdb785188f30ba6200b7583c7425c7d2fb23da95b980a04b73537babe8db75de

SHA512
821b87f555fae0e10f2ccd4f2012e04858e825829a5bf7f827afe01a567712838f9c10bb1a1f7e9b8b20b36274351134957db1c10bf95a530c9d8b9d131086b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
dfb7cefc0537b4d497d843c5ef4eb1f5

SHA1
ccbfb17ab6fc0cc5a633473c9a3e45eb086b0bc2

SHA256
4efe0430113373e46165d895613c3a2443a0da9129001f2642fbad8aa05c10c8

SHA512
d074065de64e051b47fa491d9094903fb4edb4faba731b377f80e02621f600904f07569e5c1bee57af02da1a0a23d0b950737ad0e981855ebbfa42ded72c3f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
43ac74955171218e95c2a91e702da77b

SHA1
c976467b1554ff546639a71a59bdc32af48532fc

SHA256
0e1c11b6e15ae39f79152aee5f73cd55f6829e7286d47a8e94de8670eeec5cfd

SHA512
ff6d9528bcf003a389b62dc2d1652e8c2b4beff02d380479d4cb41db5eaee2e309fa1e3bb50dbd92edaa4ca8d24a3ed7d1c1c2ea3c4f37fc896d2bf76a0e185a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
e5e9b4c78c5d6bc81e01a675fa59e26f

SHA1
ba6d574239a2d7fd71c005cc6688140d72980d37

SHA256
a0909729867e40a59a2ac99ac19b75563a6337537d05351579dc86fbfa1cb002

SHA512
0f63adba027ef5b1ef6f4a220ea8de64607c3ac66c34d3e1c8d8c60487cb0427faa967c5c142d0600bcd385bec21b2bcefcd112dff67b8fb239dc1e4c5381673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
93d0e5065cfa5bc3e15193f908089afc

SHA1
fbe089525fb0c0fc09058ac4e4348fe7cab321ae

SHA256
7a13c5764efc81930195fc118725357ca3eaadc0a36319b23a401775cb83b846

SHA512
c592fbad936900555b4dff3272db55b7b06bfd9a33b9059a16db9397019aa10b23d9d7a214f3c87088c081fe91f7bbb1109c205736dba511f2c2190dc636e936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
1050cdcdb985c78c8ce0f93e1fec8d7e

SHA1
b682ab26d708d9600f05a61dd51cbd53639c587a

SHA256
df1ceefcbf48ab2ca19a8b1a4f2fff80a4000f3825036dc063dba1d6ba8cce97

SHA512
8b36d8ca63a064c469ea1d4820574ef60f36ae611cfa29a14f358675b87695574759f78f3cbf2cbe827002e6f667c476338efd127d003b7bdf1c93486570fd06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f08a.TMP
Filesize
88KB

MD5
ed3eb334648aaa5ac03e7fb05a877dcb

SHA1
ba21fd2f2e5696b490fe4f9f5bd21d81314be641

SHA256
9a05fd2388f2b86d456662f08e8757b783f0d03a086f762ca14dc73ff25ba730

SHA512
ceb5a27da957419cc57dbf6d0d1192d691213414cc131c77d26332c63167c98f098911b97317281c0f3f44ef61dfee641969620ef2252d849c031c983e2b7588

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
4b4af5e5434d844cde268e2774135950

SHA1
4764f1a0b638fb5ca4c1ce1ba8ab1b2b663063bf

SHA256
8e76c56247d8a1604b05e166d91cc648f5e44cd235307b49669e2f4caa8c40e1

SHA512
7d991a3d8f193e07c4eac3a44dbb2dbe4294f0e603b01d4f0ed940f382a51cb91e1a10939bdec69b9fd5ea60f455f350e60bdc746cb11329732c2b315ed248ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
d4eefcff7944905da96f9f0c477dc4e9

SHA1
928170822ebea941b3c09d99a5d2da2b9a00f003

SHA256
e59d52f07b811431b4eccc16c1c6b39d99df3104ffc930498e6905ca77953627

SHA512
054ce8799bf6bb09a390b5dd44e90413a72ac12aa06af039c70c59c17a029e4c766e1d36de9ee8ec584a39b2679d0e190dfa138ee6c370d2924dc67508dbff69

Download Submit
C:\Users\Admin\AppData\Roaming\c4d7c0e0c8648821.bin
Filesize
12KB

MD5
f2fbdfa52fd3ce1c123b8ad7dda5f52e

SHA1
2fb8a9d949247440800cce362f00674c8b12a36d

SHA256
ebf2ab4e6e8bb494f5f9a7f0b3a009abea7406c4c8996e78a847d4a985e0d892

SHA512
4901b5d08c1aa7634fe8508c02030cbb04142aaff81e849c3653ef9774926c990927922d08c8d7479ba7c76b40b4337b70f35651cefcfc720e9de24822d796d7

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8cb909c792db686618dcf6d132fe6f73

SHA1
45362d0af9cf478b5e4f4936996391105abcaeea

SHA256
c7a8faf67a672ca01954255a919f02024a57f95e72f5c66d7280de63593a31a5

SHA512
f594dc272abd3f51314cf31c2b71a2e42ece7b936a1a175cc24c9f374d9d4cd983a732836d431b81a2b5d7889b7ade8a2c0d6550aa02ff41ffb8a6a385a9ff10

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
79287618555fe1ac73453f46f929ab1b

SHA1
7dbd3f5443b21db0ca24fae9516f4116a0e553d3

SHA256
98e9888cc182984af7b8af71000565d94dbf4370ff2fcd2f4feca360d7e686b4

SHA512
5f7916551981925d2941516382ccadb4c320903ab2fa91efb2e19027abd4d7ceed14748dd1e7e8e83b7c7c5c4f942245e71c222e25f24e4107153f8ca3758cea

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
eace061bf367b5058959a432a6678fdb

SHA1
fb7e936f2e935a8d326c4aab2646e4f4171e0a70

SHA256
ce69da2fcb55eb10f8b30580fc0adf3845534066f81dac13f03506557e6aa37f

SHA512
10de7d5474d2c4d2f2c23d9b8ad00305404ec3351dbdafd443ab0f141e9ec2cfd571b325f072c76f7a66f229916032a5b5073312794c56dfe56e7a7b36598a5d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8a99076752e8f5334037c5199503ec91

SHA1
2383445d9d7fafa958740a9c52f8f1e91da483e8

SHA256
b31d718e118f2ff4ba6cc574b92d401430968f05ca8612fe08cfc5d23f2a27f5

SHA512
c2b788a65fe0e5a21a07a42007386b55101ae9d230170a4b221087482cb060c6720ca5cba05c7b73ad8acb4e5c02e7260ef7f75e4d4ed9327a6ae2f5bdf39267

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
8b019eef81b0b63e0e7f6ff022a3f6de

SHA1
4aab2b007d52cd5874a7a9ab4ea43c73f726a2a6

SHA256
5a7320674ec702807ba492342ffd5d8801c68cf8e239f3706c0450ec7f112a9a

SHA512
8c056092b322decbf280734e2e5370a16604e0884ba59d6031758eff163334eeb193df8a2b04a9e12e26446a86d666d4eb096f478a208aaa3e5b20a85d693e47

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
44ee5f9b372a8126f08ca1e704418b01

SHA1
44af24a80b6b23f7294a75eb22eebed36d6060a1

SHA256
348c8b629c11708d0d18e07bee1127223f244dd88e5725d7d7ced1827e3f4372

SHA512
65fa87fb53e814e007bec66cd8e4e66cd25b5ce1760fa7fad7cfab8a23d89901ecca7aefab1d80e804af813daa685ff1524af03c9fc9fd9f1962c71f0e5150ce

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
a677e7b28aad65de02f4a8ca09baf1da

SHA1
32d46418eba9d925c3905a8986d98282babeddeb

SHA256
afc4c0182b082f01efb2f9675992e25b6bc439404f1cf579c6d17a9447e9ac67

SHA512
9325dd98900e7cd7146855376937202ac57ab4aa0918f345705b63075acc556a9f5ccebc8f6d8da0e9ea2dd8a7b26e757627e4c543a0e6fa57cf00d9ed1aec78

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
fd473b339b7d03b58de6562774582e63

SHA1
73dcf6762de0500acd6188f81133e509786ea2c4

SHA256
d37638fe605300fd1fe778c0adda0c2b637d0441598d69b29471b4aa838ab2ae

SHA512
632dbe171642d7bdb64c28dc8cfa6f046a34e28eac802d7be482efd22881cac8ebe9215556f54d2a9ffd74851ecc43906225cc8d2376e5184905b2933674a58a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bd1797a4668fed264129896233a6868d

SHA1
d860759c7e313559f5923630663537967effe3bd

SHA256
13742ab5c98826fbe1137109989c4529da7653a3d029ca2b85caf0aa0a6292d7

SHA512
26a619504fb9866b3e77d48aae0c93587d119d1442a4b0f1ee015cd5bb71d7fdee704e42d9f7a9895fcff3f501864b26bc6e9a96fe0bbbd02587d64bb9508c33

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5de6d9acb8d4d2319003a4aea84e9a02

SHA1
40ba2a865e954ca273ade5d0557a87b7e06a7adf

SHA256
6b5d15ab8956f5508b96106c06d6a9ad536bee29872aaffdbde116a5fe76293a

SHA512
78246193a20b3a9865ffc86f6ccb9924b4d419cf7b46697de582d3deed3e4e2f84730a2dead9c1233c105a0837f66741334bdce08ffa230608beb9ddf346e9b2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
dd6cdf7d41b8600ea63eaf8bec2e14e9

SHA1
c5fb7a118184bc3bfc156f82aa2cfee22ee94f16

SHA256
7d09fed75c10b409244e5e0f7fa3a30bc18c1b8674040087aba22b8bd8b56bce

SHA512
0e93e7c993d5e600efe41b4a508d90de1b4c18fb39fd4c46319157dd4b7469eace19aa94327d4e07e9b7436f6166fd3935a466af521f26a6a98c7106ad536abf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
31bb2e1ebf39c1c73ce61a614b0e250b

SHA1
c163222a0dad639a83cf7bebaef19ceb98af8bbf

SHA256
41725c9e12aa67e9cd238a9dfdc7a797cd5cb86402dea5eaec96d8e00ee01e77

SHA512
d09f16fd153df04107b8386dc602593de579a7702372c69499992a09d8b685e3ef1b2b85382f1a5383125d64e0da09a49024a36bbae583abb3342f9bf0097cb6

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
761fff01abfd12fa57be13cc99d7c3c4

SHA1
a12e9becdbe93a18ff67d7fbccf3863625eb7793

SHA256
174a2e8990260f5eea55a1ea38830ca5b5c8adf768c0be837aa3dbae8f649d34

SHA512
259341e8f87138be584c52d5c5bc2f8f55890ed4db9194381e0db5d9e8a09c9861497a087da25c20523d90221f3fc7e6651f19db74b2aa3d8c23f965b2db7c3b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
52a51fd3a31ca7c003b5832fc0dd7cb8

SHA1
f922a6795ed29c2a322274b583ffb023692ed6dd

SHA256
2c3e2a81e9da6422a4578e6011f3ed440e48cb50796e3d4c5c3150a1b35f2906

SHA512
1cb81edeec7662aec847a623f16dd56b67e031dcb715cec9c7992274436275da509868e1a56112014821025f7b9f556ff26eb269369f1d1db2b1faccaa821b7d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
cd0324c7284bb2bf91fc6eee660a1039

SHA1
255e8bf20ca8c9eabc9a9fff9cf3e1f44c2daa83

SHA256
fa574733b9a6ecc66ee928a9408ded91b53691eb9aa335f7d90878b408055324

SHA512
9c1a55e55c11e68ae5f4badfd2ba0c1f52e0b0ccb0f8d09ee5e19ab25731148d92f51fa080ed54067034c175009c2dac2def026bc7ffcc52bacfd193495079c5

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
85a4e61a5f5760d5c5cc56d1890da99e

SHA1
0af81979d2b6edc8f0072fdbc48412749d74b20d

SHA256
05d1685f71b2749e01794feb639def5c444f9c829ee899922805853f7d8e3bfe

SHA512
7737c6376cc47fd28e3d279938ffce7e94a7a15296ded45d35ba396901fd5eb3afcf4e67d76f594191a3592861f84d2cee057a71621b5d8b61d12cb48c80f7ff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
00361b20d9ea3a1275c252e84bfcf317

SHA1
d58291c836a9d840e3d709b2858bb0c1026b3e82

SHA256
27180ca8911ffdc1c1439c46ed358c09df6acfa8db7ca6c3bf20998cd0c8afea

SHA512
2229919cee4072ca3620bfe2a1fe357120acbd753c7bd9416a55c887a60ddc8d78694a8c0fa344465e15f27f32074cdc2f1f752daf0013075fe73c96818ae816

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c318667bfd7457321ba0ee6b4328b3ed

SHA1
064851aa83df14e23de7e47fec1f4a1bc33e4e39

SHA256
417e12ca9472efbc0af83b9bfe3bc923475b0ccfa5c8264dc7a069362afb728d

SHA512
42ab1082a9efd6e72bde9bcacfd755c58837d5a690ac718678a1c1f77d16c0b0d85e55d04d58b63f1057d589d58b3c169bc82df4b1b6fd38b3f0c8f8338293ef

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
263c88583c5b7f82826d5f5ceba8e0f1

SHA1
f86e79066948c1cb8d437b5b9970c78348a3464e

SHA256
80619f7da94bf7c598bf42a584c9cc7d606644791cc5defd0f120ac90a8edd35

SHA512
8512288d602cc6a40c29146f6df4832b2df1c6b9e2962907c98a491e5dfb5a047ced05c7cee0e462c6ee31ed30b31a1e1831039592a36e5aa5188acf979f771f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
c23be6bd9ee9c16743ad43fb3e51ab31

SHA1
814e395bea0eb93b5378a9650cafc494ca177aa4

SHA256
aa48b7b2f0ed14e73c7757f34879c00d4c70005e87a4bdac26494952f1f2e8ee

SHA512
605ccb15cbd4aa460dc930052b25236c1dd703c91a1716a3cb7958d0f7270c8857082802d8002e78a5e403c742e27b8df177e650b3f811eaec17b333fede085c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
f12615321982119c4a5b3ce8fd7fdb61

SHA1
0eea3362ce71974133b9eb9f9b772ef2f2010657

SHA256
e2765e0861bde7d569bb5ecdcf7f0eab7c3cc168a1520af15a2a3487e1d446d5

SHA512
4c728772cb1f9e9538b3a6306e0c5fc4c1bfb4d6434ff8971d8cd191a07dc56d4530862c4d5ee6e8146678caa3459c87b1e57e11df0e32d46514bb3d15e0979c

Download Submit
\??\pipe\crashpad_904_WZRZJVQOUPVVHXGC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1476-342-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1572-352-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2132-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2132-89-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2236-362-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2656-360-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2684-796-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2684-366-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3148-344-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3180-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3180-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3300-633-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3300-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3300-42-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3300-32-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3412-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3412-337-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3412-794-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3412-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3524-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3684-345-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3756-358-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3932-548-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3932-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3932-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3932-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4116-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4116-54-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4116-53-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4192-335-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4260-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4260-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4260-102-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4260-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4272-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4272-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4272-9-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4272-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4448-359-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4604-356-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4652-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-75-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4848-69-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4848-68-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4848-436-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4884-343-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5000-795-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5000-364-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5332-797-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5556-609-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5556-546-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-602-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-802-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download