746f73f4d9a722541cd7977c467ad0df1525bbad303b6cea188fab29d3b5be0a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
Size

5.5MB
MD5

666c62894b6bf751ea890ed103960370
SHA1

9ee8f350f5821097a4f60be35f9bbe4b55cda784
SHA256

746f73f4d9a722541cd7977c467ad0df1525bbad303b6cea188fab29d3b5be0a
SHA512

36dded0ad009e9e375062de686a2efa35920b9eaa971e0ca35f23d1b4842334a990543e3f8d6942a805c0798dbee04ad476d6dc2a3bd3ce3ce6d9beb0cfa6d59
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfL:WAI5pAdVJn9tbnR1VgBVmZJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4508	alg.exe
3244	DiagnosticsHub.StandardCollector.Service.exe
4976	fxssvc.exe
1376	elevation_service.exe
4528	elevation_service.exe
3708	maintenanceservice.exe
3912	msdtc.exe
1280	OSE.EXE
3600	PerceptionSimulationService.exe
1652	perfhost.exe
4756	locator.exe
736	SensorDataService.exe
868	snmptrap.exe
3708	spectrum.exe
2636	ssh-agent.exe
5072	TieringEngineService.exe
3196	AgentService.exe
4104	vds.exe
2996	vssvc.exe
4656	wbengine.exe
5152	WmiApSrv.exe
5268	SearchIndexer.exe
5528	chrmstp.exe
5600	chrmstp.exe
5788	chrmstp.exe
5868	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exealg.exe2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\55f15eb2c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\MountComplete.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dde1d1a22aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e4b361422aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7d43f1422aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069715c1422aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007799441422aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051e5901422aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056b9f71922aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000665f2a1422aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea0e5a1422aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exechrome.exe

pid	process
4744	chrome.exe
4744	chrome.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
4744	chrome.exe
4744	chrome.exe
2572	chrome.exe
2572	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4744 chrome.exe
4744 chrome.exe
4744 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2924	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
Token: SeTakeOwnershipPrivilege	1340	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
Token: SeAuditPrivilege	4976	fxssvc.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeRestorePrivilege	5072	TieringEngineService.exe
Token: SeManageVolumePrivilege	5072	TieringEngineService.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	3196	AgentService.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeBackupPrivilege	4656	wbengine.exe
Token: SeRestorePrivilege	4656	wbengine.exe
Token: SeSecurityPrivilege	4656	wbengine.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: 33	5268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4744 chrome.exe
4744 chrome.exe
4744 chrome.exe
5788 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exechrome.exe

description	pid	process	target process
PID 2924 wrote to memory of 1340	2924	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
PID 2924 wrote to memory of 1340	2924	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
PID 2924 wrote to memory of 4744	2924	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe	chrome.exe
PID 2924 wrote to memory of 4744	2924	2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe	chrome.exe
PID 4744 wrote to memory of 2276	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 2276	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1000	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1524	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 1524	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe
PID 4744 wrote to memory of 3376	4744	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_666c62894b6bf751ea890ed103960370_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2e4,0x29c,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0872ab58,0x7fff0872ab68,0x7fff0872ab78
3⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:2
3⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:1
3⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:1
3⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:1
3⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:6116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5528

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:8
3⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1968,i,15551075410382873294,12951808796718109031,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4508

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:736

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1344

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5960

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2a2d439fca05bcdafae1bcff0e4e7c40

SHA1
28f585f7fcee08522fd2d255d5ed79068a0cb402

SHA256
2981ad7f5b90eded91772dddcd18a1bac6f6bf1cadcacd6d9d95e298dffad297

SHA512
7f21843a30305ad8189ba8907c69bb54f0f9f662525ba74623bb4998a88d63406395804dac6c6308d8f8ba523b358756e672fbf62ce5cfa5467745f19bbd8f9b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
6ef94062fa006b7d5f748375476db6bf

SHA1
d4dc877a35d0166baef2d52928dae5c94cf30d4f

SHA256
7cd376cccf5d78bc25498678d490b916893987bedfbbca704c52923442110a3c

SHA512
d18c7499310edf57a185a761a4e65b28896afe3a18bac79415896057e0ef718514216805b7d640b30b8a65c61485ad3845e67a39c377f6f4de92f014820efd3d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
bd11f352dc90efc2718099ca7f8ba2e2

SHA1
ba2d2795d46bba28fb7a495fcdaa8241a1e02c24

SHA256
80bd958bb7b7bc43f88ba60b744075c5483e8b0a29071ab85d4e846a8f2ccb94

SHA512
d276c41512ceed47a54006431e3696731e0af0dbcab50e159abc34e9734582f67309209b933db24521891183035c708fec2a752cbf411480139ff74cb541188a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9738bd83930c9685816d6ef66d816fda

SHA1
ecb9833a905ac7568f4ea2ae0896ba080269ace0

SHA256
d67d4f1d3b0bc72209ddfb36b09a1cd2e6e312c8095730e7e19417550fbc3ec0

SHA512
b209b6f2d07b7cb0dc87574afb35d901bd39f0508097d34cdb57fe734006e454e162b5570cdd2003b9fbcd674263bb242f3be282536a788cc68ddec873f8baea

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ba3cef4e42dd25f197fb191db83cdc46

SHA1
81bfae2fa48516d783f6c8d07ccb076508fefc09

SHA256
a69e0e82b2083d580be4f9403862be07f9af98c80edd3ad639e8e2266036a6e0

SHA512
be9cf6862aaddb5108a8389a45383e87578fc75afe43c86a303b45a1362f6636bc86d17bf4760a50c517eaab490f97f3c62687c4a299cd8790f7fabb1cd7995a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
059615bb3addcdd9937470b9904eaefc

SHA1
bc82ec7290cdac23cd3a3a7cc6914fe29d65fdf8

SHA256
697b8b66b6e150d28870597939bd524d45e56172bed6f27db92a6659e6cfa00f

SHA512
3b6003280ceb329f4e0d1309784e1e946b9d125cba4da8f130006fa4dc835e7dd5d705dfed2375823de35dbdb322f70f14ff5dc373c71c4686eb3e79b1ca0784

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
aca74f8fcf32852e9eae1f9f7096c75b

SHA1
a4a13620f003b12949b9b8bda096693ff2a64d7f

SHA256
0690b98c563adeb243c9bbc2d4ef9e96671c18301a385cab14744e89d7257edf

SHA512
45600b61927eb36c939001f2dd149692430bedec8b64595dd4d6e1c3bcac00002ae912aac16783e887af2361c0192a15ec9cc97fc655b4033ab7151faca6dd1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c5bf4ef63512db978ac1f25094e7feec

SHA1
ca26a8d6aac17d975e57532ba5eab62aad82b526

SHA256
6e598189626bbeb08935bc060db866aedc475dd0d29b54713d51e1ce3c22d437

SHA512
d90411dc82e56487d1f4ecc6821807db8a50729e9902c8d9f6f38b3c33d8969504c4b2f80779b0e7bbedc3c8ea9d393a794c9578090e0ee0324ac2586c27ea91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
6f6f0c7a990b18bc93dc66c52e5fbdf5

SHA1
391fcf764c2f168cabc7dc9ace9ac8795b26e00a

SHA256
d1e948b6873b83f760f4fafcdce7395309e0b15cc3c5c9b1a82523c865e3bdb7

SHA512
0398f5f1ab8157ae903c6ed5803b30b64552763eddfabaaa13612528115016fa120544c866b786b71739387a7f09cff08a1542bce5300b8b0c885c7760778c6e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
1c00b26198efee89f140619295d18737

SHA1
3f7974f41d4647caed1794c1199fdae9ede6c148

SHA256
47040e8351712a818626363efd3ef22be16dde1038ac78897eb2e46eea6b003d

SHA512
45be1ecf05213c0e243b884d5c4a96d5e778a5aff4a879238611b1b44d3b938740308b1095934bcf3431aa3e7b93b0d51230825deaf3dd98f4ae0178a0735b41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ca3744e8c77ae9b706aac1e530ee1491

SHA1
ec71166f982ee23cb8092edfa1f7b6c7e0925d4f

SHA256
8c18d9f8a768554bc48b2ba11f089716430dac4e164c3419248ade24f6117025

SHA512
7da00f010f220a8f78f87236ec2cf4a18b8039f0eab55aca4f581adcfeb7c82d6198cb5c24ca3f59212162455068c5f5b0f57d43cc5f55c4a815bf91ed275bbc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
92895373fcb770f3e6f3bfb7b703982e

SHA1
61591b7fd0f26ffb342ea3df8223408fcd9af806

SHA256
f79bdb13aa2c8fca8a93e8a3d38fbf2eca67828a91e2964cf8bfe9850605134a

SHA512
8fa2a68e3d34cac0b9ff0694ae08b47fffa55ffd76b9d7c0899e74aa3174d5b8713852ed04fa17a248a259253e03109e6c7b62b6d5c20b327567edc730659db9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1dbf2e02-ca43-4fb4-964d-3c63888bb673.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1ecd5828995c59d8a696f243d5c971e8

SHA1
db28cf3e02c4d22fb9e6c160c17bac2630a2ecbe

SHA256
1e42672a0e6c790ef9797007881eafa4201ff136dde18c67e38914eb194c5f00

SHA512
bd54423d7f8b0b3d48f49f80983c8683e655e327f9309a9d1a7eb413bc078db70a152022d6faeccbdb2600cc63abe0e53367ed60e20f58463641ea436d421f57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0de4cc51b1e7456c79751834799f798b

SHA1
0457fe1657b7a601abb1f5bd3b4f46b73322dfdc

SHA256
eb238f7a305a7f601c99339b3581d5d8cb9354590a043d4a83b5cafb67d2403d

SHA512
a0d83513993e7ec5c7c3bd73296bfb250d205516a970bf38aed76be1e9e803cb8242b5dc2ddad6e8e54bd819c71e5e2d896f9a6d3770bab984e5b07d9af5036b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
96a3b0a6341339ff9548b60de26968ec

SHA1
16bd234177cbae3dc63fc8a2a4379a31d34c945d

SHA256
d6f2afde54e9844648453f2d2a21c7d4a19fbbf7f13ef958bee35fb608d57137

SHA512
90d916d95d8ac0eec3d12d1431d1e1912e88bb44c609c90785b3316134fa8191d0fd8b29d1342cfcab071f684332c81a14424f55f1d8bc494bec4da326e80766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
1427e991d2f418b3989c2efc27a792a1

SHA1
f8e0b285b92bb5006b999039a5459cb045a8abba

SHA256
a176d7c9e68dfe972b57284547c3d8b12f3f37f64eba4bf1616b5cdd55107fbd

SHA512
a94899cc19dce7b6a1f93ea00a3414b4c7abfc858ae75f425285d013af64a5d4033f561504c29ef457c88f51ab3b0db2212164547db98e9b32c3749f95079068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578443.TMP
Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
baaf0ab617f0dd831459b7fe2c80bc4d

SHA1
77c8817e068206453a4f49542877db16052fb67a

SHA256
ea307f547ef23d9ed39b0f1230b83385ef10b710a089d260d7b1bbfffb4fee6b

SHA512
fdd83e407aa820cd89ce59546caca25e445beae118dbf42dfc44c77a846eeb734d61736e9794ecf7cd903f6c84f789e22d0d6110499f934c1f3107b35ba2e98c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
ec57739e69c66e75cf4a303078cb1265

SHA1
a5e85c372e4900b925a6c8d8530d3c685b7bc3ba

SHA256
d140fb828691d56939baa6d4538efbfc510f986ac73e00013665f95d8dec35ac

SHA512
ee05a4be7c0092bbbdd74804413933d8fd196680adfcc6734f9ea73b7473ffdb614c4a8dc1462cf48d09826484df05463554f3b14718f2531532a9db8fcc3676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
95dfbef0e9b06504c93b76b3d84db614

SHA1
96eb2f79263b80e7219581979c8c5df635c89e50

SHA256
8538a25a90f58e12797ab7561b01cda84292b741e9d17d6e1e9cd64af089b8d8

SHA512
1775d8d86bd8e0a6f34e2336e22fb851f6261fe9f33ec8b7e78b4df134dce853db3ba34f66cc0318562caecb30a17482c5e9cc2758fc489bc84e9c9473d0e8d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
b355adc79433dff7b3d0413a2fa55e36

SHA1
83290746e396a279b89987c5192c1e1b34d7b538

SHA256
59f1277f9ea9e4e1997a26517fc72f545bed1c8f5b5054b403b847dff86b2322

SHA512
f19e1bd0f3711c7095489a48a965e7d197dbe9caa4a1247a2876a96274f15ce465e10eb225d2cdedebc4a3796163f88b4c46dde560cac8b1f5ed0df81454170f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
6c9eda108db7737ca0dd318a4f175a60

SHA1
45978903e9b4007064898df7744d34c1e4044778

SHA256
398e51e91f41d6e7e664c5b79a361bef3541adc5fc69560faf07369ac0f02520

SHA512
025dfe188008cd9d80b00c8d34b0ec660ce145cf7825f611c7cb306c3c9b67d785b34ed33ec8da64f7776f07f1ddf7795df4532e9ac64c21eac5c771be4c8e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
f6c375ff7b05f29e351ef1d9e7eacc0d

SHA1
c01433db0a9d6083f1ddf93ea197b94c3009ce15

SHA256
fdff3ac59ebd3d741dfef77f8c98446ede940b81728d7fa70ad0b15c63635912

SHA512
7c28dba63b1b119ea6efab3088838b71257d70d0dbd182bbaf174a01abb675106404604fb0b3388b98a2c0e4947960fb47f6e6c7a3dddbde67a14bc83213beaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f9c1.TMP
Filesize
88KB

MD5
12cb0ab81ff24b822381934d112fea03

SHA1
c38d28b7d8e1621676d46f829670e847c8ffc14d

SHA256
96b3c69f660da51801bbc845c6f445aa8cde506ea602e6c0654fa0c25f29d518

SHA512
993c4ac996315ea80fdc07d2a6ec5511d2fb7e4483d195346325730c24229869ca71ea607bb9ffcdefdb8708db3239a720586b71addee83928ad90a1e18323b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
cd2adfa95d479a19659d450f72f9f546

SHA1
2a20ddc6b56cd2f6ef77ba490a79ac991531b144

SHA256
90ca5d3f71493d69e5895cea1710e6241c64cd9beff8527d7f02d3dcd3ab1222

SHA512
996ebea40bdcacd524f06334837e105758be9985d7ed723d0faf405a006b117a69d89c0b760f77d59e40423b10f4852ed6fe7bda51bc860125a2d2366cd663a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
9182eda8b1ca075a8d38c9491a943382

SHA1
006e903b945a1273470662b63ef5bebece0f3985

SHA256
b44babd8262102e8f169c0a6f99e71085c1770bc297663b80136a2f3da07c7f3

SHA512
ed0629e5ad4e3aa5cd4ff4cd99e2671aeed4870fb9df06db4f214d6a2091d39cea4029b71ef8cd63f661e778025ef532e0094606c7ff700dc9e8b7772d29a151

Download Submit
C:\Users\Admin\AppData\Roaming\55f15eb2c3136770.bin
Filesize
12KB

MD5
64334739cbba297b278e2efeb48a3f31

SHA1
0e226b385f681310d0ee7bf33ad7921e88cf4af9

SHA256
facf48f6acd1d46eb346369dc24f149034649dd0c703275103dd58f0269000fd

SHA512
ae3f2797c02b37916171c71923365feb067e9363dcf90cd29ce79edfda5f399279174e3df098d52fa7e957f58e1ca62256244e5740227a1cfa16e970969ab7ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
2be5af777de0f005435981cc56904ca3

SHA1
eecc33d2d2509f8492c3357d04b514300f25f8f4

SHA256
0655ad590bfb5575b283b2a6248c1225c9a2954c356a3ca3212de69bee6b307b

SHA512
fc905831e57214e7990a5fcfc3f52e5edb8b31ab461321822fce1083abf13a206f36ed8fae5bd161cc3e285bd43a31f8997b3fd73e5212e47222cd51d7673a58

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
8844ff41478f994e381a37c6434c233f

SHA1
64c2ad23b90f3e07f05d0c4bba15f68979ee2515

SHA256
f2299ad99b58dd65cc6895d71c018925c6bdf981eae73b28f1b34a12e4552dee

SHA512
017d358dfd96919f2a890a832503cd8bfd9e6ba1a30023282d046d6fb300a6034d332a12c51ba2e3e3bd7cea2efedc4ede5c26359aea5c6b4d9528de07d6ba22

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
5ea35a3ff9540005a2f594e88f246f07

SHA1
a9549311399126037d87b3d9ac84baac5e919d2f

SHA256
8820063035da189d9125f92dfbe2066e46570487926169a5ff28b984288c4093

SHA512
323033a437b8292d8d7136b43e152ae9f897dd50e43bbfb960ddaec72dbb9044c7f2d0038a0151e7944aeea9b2d19bc4490bf058e3809063771ead155411a21f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
28b8fd3ebdab2c8200866f06b6cb79ca

SHA1
0f268961f28e373381448899882dce85ce5ec79a

SHA256
469641710b98f3c950b6c1577dd9305180dcf8b0fe7ce5fb0a680f483a339805

SHA512
9ed6ca3357d8f633c0dded5d5ba4c198b88629ff036b9e259d1c33b065c23e54f7049131eb0491093d74c7e7452fd68047f4428672b294c34fe9a36741704844

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
5f08002bae4a15f0b99985166ede76a1

SHA1
12395e650f8e0afdf486b68b94adc32e493d849f

SHA256
46d902d420f5f2f768f174bd7d07cc10bfecc8801c4a5a91277cedf6ca09e047

SHA512
e9b4c769d1e2ecef099ec0229ded5bce64ebaa856f975bbde0edaa10e06960de8527ffbef02ecbafad27f316a178c6a9042bdcf571282e338e6cf92db636b8ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6d698e6017de586d85c96f275edb0dca

SHA1
6690675b93642a879fd3ac91cdfb9e32eb94b05f

SHA256
75abf3f6ad13d6515862fd90c4ff5ae960baed6f3dc778291291f23130bc2b4d

SHA512
6436536058fb9c25ef1d677b1cf9bfc0baee611614c731f8dba8cfb86091cf7bdbea102fb816a49f7eaef5a5d77d1cedb2185070927c377e9f749e064a4926d4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
9628e9f88009b394ca38e548ef13a5d1

SHA1
992cc6c1d3f19f4050b0a1ab138b543396a2ccf5

SHA256
b490e4f4ba64f46001a70b71d753fe38aab19788c4588327d731f0aaf2e17d76

SHA512
e67ac9157106fc9370809be114e5fd7bcf8b005a2da20a93f91d2f55b394b71fc8a90ab5c2a3169e5fef658eba4de63757f16af3b788fda02405593e813250fe

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e1b4e56321b8c95ac36c4e427d06ff09

SHA1
358aa03806cde6e6fd3ab0e5675347fba79dd5c6

SHA256
639e6f7e4be1098571b4288ca1da12850250a5b75679c626803ebec437b899a7

SHA512
f4293dfae34872877ca63066fc23cdf902c4e24a26a908b6857257f6ac18ff421799fcc8fb3f749fda91802098b761906aa5c496ee65be283d9094b8f1403ec6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d4882e9768b12bc91103a996adb705d0

SHA1
71beb72ac13a584b3e65425d00ce21ec3ff82456

SHA256
1b1e957f4611a62c9794f04fa933732ccdc689669590f1195d30681bfd8f3da9

SHA512
8f867335e5dadcb86b05928e825e40556d040b5b79a8ca8ce3e610fc38fbf09044eda7b8f67619af6864ba8decdaefff7fbbd58ca54c6cc046540a8a41b015d3

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7c9e894e96d8415c049f7965542fe6e6

SHA1
f101a515edd55cf081a300e94ed780743fbff319

SHA256
67686b8acf9f4e825ce6beefcbb9f3723ef3c97336f59a33cb9c6a91066fccae

SHA512
f875b6109d6679f8f71005ae8e55a26368952a8d28514c46794036642a5e4147a1e3887ab0f775cae39a8413767370a823a68cb0be923ee8ab05a6cea342631d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
585ca169ac5693510c369e1ad85e029a

SHA1
d032823cead4e7d3aa66876a99e22d145522e08d

SHA256
0e8402b8bb6efb27b1c2d48f8e687fee28e576cd8fb1dff9d2dfcec7092ef83b

SHA512
8670561265cc8dfea50e702627e611039ca1e184de7d7b5a3616e16b27db70a35a8c3ab578d60c4e55ef29c20e34a0a742125b41113a953d18c4da5f3706a357

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b912ece1abdd6c6831736aacf95de3ac

SHA1
c5b10b85ec329df16c666608bfefe45367a2917e

SHA256
b0d9fe0c6a7bc53739d49d48a5fe1d974c2ac0d6fd1a4284a0e8717e6d5a4251

SHA512
cdf864de7dff06074f0d3e5c087e62372140f58bbc4466c48f5be3ad6662a74af8a6b2d04226f261d327720faba197b4632a9eef358b5af2d702203fb46cf1d8

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
2441ab853741039da7b5ff3ed79c6320

SHA1
269d55d37e8a819ff26e70a3d66c6bcba9df8dcb

SHA256
5ff8b1dbc49e81bc6e6419b90df787c7bbabf8f45c17ff642117ddf89598f89a

SHA512
cbac653c47d4b3f1adc0240eacc1fb9405658da8185ae711956ecb78ebe93ab5a71f513aa5f51c345da7736c1c84882178fcb111eec7751202fe2c0cc416fcbd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
7b653c60c19f4686a57f1526d8f283e5

SHA1
99bd6f02dd30e3f9e30203feb0b701636cec4c5a

SHA256
155b643811fd684cce0e543c46aac26b89ae02d182564f6800675b3f030ed52b

SHA512
b0ebd4fee952615e00ddd33aa659b22b225394a6c5f058e223cf33fbb73fc72b4082a3903440f8f7b146f9868836751251110d02991d4a7a3d11829655ddc879

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
79b4c6b4eb46ca0602e200496b8d6961

SHA1
fd0bcdd18b56d652dd6f76344f8ef2187523a613

SHA256
266a0bece8efdbdecce6f916427c4310259b612eb364c0c0862bc8a950119c5b

SHA512
0cfb78cffea5051327679eab60c0581d7a9f4cbe7e6962331e9658aede1bb58fda4bb14c7e1fd207771033b2b8b86bd474f286034b0fb0abcd7b2ac5ce0164f7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
360188606a62954cb2b2ebb006dc9d96

SHA1
5d84624821fe841115f45f53a5b80c9805efff50

SHA256
f84504a9f5a0d035e20a1fdfcb79a56ef54d6271e98ab679771cf08d45868d04

SHA512
1ac34da02c5f1a716bc88f59b331646e1bece0f8f90513c0945c4c1f3ca5277c3acc6f817bd97bb9c8445108cb42047834b418cdd41f7064d9a383272dc7aeb3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
68bd27891d389fd7bbed64b5841aeb72

SHA1
cf607b70ef62bd8b851dea728201acc65b4024df

SHA256
7ab1a60bfe0e809d08868f35ebf39a1739105aa6d81b1becb3c31361e62efce3

SHA512
876d055dfb908feaf7e0d585d6761b22846ab5f26b97d7152dc5bac94669867f8cd9f14bd63f053ebec80535257734e473b86cc3e4db2d4dd11d0504598e77e2

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
84dc03671fe24c7e7384921c08c88bbb

SHA1
b0219123265d0a1cca05fff10bb5e7e22a5c0a17

SHA256
ebe83867438d45056a31eea89d7ff173b6d3c96cc74461713aa97b91bee56bcd

SHA512
2c4593146dd139d9ff902aebf8782995a7490123daeb543c00197cb2f6df9b15023416c702b9ba44c4a810e2ce2631ff7ac3b271822d39ebbf039760f4250491

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3a81d6c8cb05097f0a9711609ec54709

SHA1
09aeee08187d04ba74d34e80b3f2368bc6e13dc9

SHA256
684ebf86a1edcd51a6c3ce9a9abb109936de95dea0050a017d43f6f357950fe8

SHA512
31f8bec32a9cef17a5a32199f811c230d7a744a7eed4bac879d0afd8ea9a30c78b338e3e4445424e08946d5fb8b412b8c0fe311b7d8d063f219497ed564fbcfd

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
8e886712814aa49c33d7b4baf9efa28b

SHA1
b092f0cac407b15038de5d2f520de170fe3f69e7

SHA256
4e1ff80cb10f1de8575f3431b82c0b651e4645803fd254d9479a6cf118cdc0f7

SHA512
91699b8b47dc49ec2718a6cead6cef78e93f56ce6b5326c62320bc74f07798ea426054134b789d618b86de578a51408ed057a0b9033b68f11cb74e525be46cee

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
0643f655007896bba130a25d77f4c619

SHA1
f1631f927ed597dad99b19fe037e43bf567c8c0b

SHA256
3a6c55faa0dae364104dddba6211dcd9f98b8197f3cd58a0ad2ae4e1b2bd50a8

SHA512
ccc4db50348def4b657a3e9b110810ab2662776445b61351ac7373ece3e0c889850a8d5300b55a3c1c76ef6c79bd531256032dd842b366ac1797e0120a0ba652

Download Submit
\??\pipe\crashpad_4744_VINPLELHVKQHFBCD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/736-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/736-633-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/868-506-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/868-210-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1280-149-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1340-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1340-148-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1340-20-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1340-11-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1376-66-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1376-72-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1376-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1376-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1652-208-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2636-238-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2636-549-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2924-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2924-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2924-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2924-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2924-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2996-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3196-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3196-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3244-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3244-52-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3600-159-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3600-331-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3708-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-103-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3708-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-100-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3708-90-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3912-134-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4104-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4508-34-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4508-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4508-223-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4508-29-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4528-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-293-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4656-678-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4656-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4756-207-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4976-55-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4976-61-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4976-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4976-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5072-577-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5072-241-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5152-327-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5152-679-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5268-732-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5268-332-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5528-520-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5528-605-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-737-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-738-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download