7a5eb1363a225b1b1a2fe58efcb99c48de36ebd7e207956e88f4f8b415244b74

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
Size

4.6MB
MD5

71ec51c1870513ef63900629e80482ae
SHA1

5984a9a50b7eb7b615b52ababc95351b0fd899fe
SHA256

7a5eb1363a225b1b1a2fe58efcb99c48de36ebd7e207956e88f4f8b415244b74
SHA512

e84e6bf8c5726d34918e253d02ea66a64c780f5bb555740a00733944ada396bf6d373bc1c6a8002e0874dbaf5faecb4339dce849fd729d302879ab7192198375
SSDEEP

49152:lndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGu:x2D86iFIIm3Gob5AcUD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1604	alg.exe
3728	DiagnosticsHub.StandardCollector.Service.exe
2500	fxssvc.exe
5036	elevation_service.exe
464	elevation_service.exe
1048	maintenanceservice.exe
1864	msdtc.exe
4312	OSE.EXE
4400	PerceptionSimulationService.exe
4284	perfhost.exe
3236	locator.exe
1104	SensorDataService.exe
3208	snmptrap.exe
2472	spectrum.exe
612	ssh-agent.exe
4020	TieringEngineService.exe
4596	AgentService.exe
3084	vds.exe
1020	vssvc.exe
5208	wbengine.exe
5372	WmiApSrv.exe
5612	SearchIndexer.exe
5852	chrmstp.exe
5948	chrmstp.exe
5964	chrmstp.exe
5156	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8acf412392be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exechrome.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6d15f4bd0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610248926561665"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a9f8b4ad0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8dc484ad0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000917634ad0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f165714ad0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exechrome.exe

pid	process
1136	chrome.exe
1136	chrome.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
4616	chrome.exe
4616	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1136 chrome.exe
1136 chrome.exe
1136 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4896	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
Token: SeTakeOwnershipPrivilege	3724	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
Token: SeAuditPrivilege	2500	fxssvc.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeRestorePrivilege	4020	TieringEngineService.exe
Token: SeManageVolumePrivilege	4020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4596	AgentService.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeBackupPrivilege	1020	vssvc.exe
Token: SeRestorePrivilege	1020	vssvc.exe
Token: SeAuditPrivilege	1020	vssvc.exe
Token: SeBackupPrivilege	5208	wbengine.exe
Token: SeRestorePrivilege	5208	wbengine.exe
Token: SeSecurityPrivilege	5208	wbengine.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: 33	5612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5612	SearchIndexer.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1136 chrome.exe
1136 chrome.exe
1136 chrome.exe
5964 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exechrome.exe

description	pid	process	target process
PID 4896 wrote to memory of 3724	4896	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
PID 4896 wrote to memory of 3724	4896	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
PID 4896 wrote to memory of 1136	4896	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe	chrome.exe
PID 4896 wrote to memory of 1136	4896	2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe	chrome.exe
PID 1136 wrote to memory of 1724	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 1724	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 4332	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 3356	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 3356	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe
PID 1136 wrote to memory of 924	1136	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_71ec51c1870513ef63900629e80482ae_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.208 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb820bab58,0x7ffb820bab68,0x7ffb820bab78
3⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:2
3⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2088 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:1
3⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:1
3⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:1
3⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3932 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:6120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:8
3⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1912,i,4312153766240202593,9011830806754754149,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5876

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
80baaf76ec43cf6123ba87e84e1ccd73

SHA1
2588672d2dfd1b2ac79a7d25b7bb9da6601c0740

SHA256
b8f59ab5bd1dee4be9291b8747c7d8152a981e843b1ea3dd540c48b628d201ca

SHA512
16dea82bfab96d15eb2d56dd56145af7f496f51879bffc091d0f51b4ff65eda3aedf497266125d11556044227523d3f2450dbd9d2b8d6960dcc1370b089abcb8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e24b760721f8dd4572157e8fccf62a67

SHA1
b0c0d320857c817d6efd4e2e3ff7822dafb45a10

SHA256
914ac12ffac73ead4a4c774df6e7d55f5a1aec4755d298a7180d044b040044c1

SHA512
0742fe4ae1ce3e23af220159550beeb70ae43ffbdc5c68999eb6ab66fcfaa73ad3f7bc4ce9f0dcccddede2db6940ce6ab02629d6051e7f6cb07dc5fd148cb305

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c63bea11e24b70352654ec0c1211ec77

SHA1
93a430fb6373b9fd5ae316684184325c562dcfd5

SHA256
0f6e5c21bebb1269fb7b6db8cdb6bd059cd7a264d139500e8cf7a160926cbc9a

SHA512
6014bebfed5ee27bb1c1aa70bc69055ec8a67f7934f5433ff2fbdad78c104ac1b338aea2c99c5ed4f8fbbdf4bb46c623bc77a7fc26c63347ae056087c1354d60

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aebbe1d2f01f7564de0a6495d9ece75c

SHA1
6dbb96c41ad8f4f6142843101175a819a67a4708

SHA256
f35172c2f00beda096b84dda4ac0575ae10227e7c39032daed9fc3746f633133

SHA512
c196a719fc4cf19275e61e03806e45583d57787f4d40a48e818683ce426f397bf83d4e4388171a6dbc8608e4422d62071510c8295f090932147743fbbf6689fe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87bc791b2e7ecbf7db783a6aef743b92

SHA1
bf59a9dcd03e65b0f4838c2c10df3e26f19f9dfe

SHA256
fd4a0ec79aafff7bccdd87a15b3b9b440911fd0db00fc153dd59c2454e955fee

SHA512
fbd3a3b83c4d9e35b215f6e79240945d454a38706908f9e703523518661c05ac925a021cb177ca02eecf285609b46dfaf47deb871e2cb5d1a2ee5619961930c4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
96063524d085df1d27c24ab57f6f6209

SHA1
284daea9abe0ad8b6206fe026136c81010d65b6f

SHA256
2bd353e34fe3865d3280bc2f6eee1c767bcb4a551d6bacecdf97b7d7d7d5e18f

SHA512
f44e4d2c37722cac7dbf633c7b4dafda399d57d5c4d47933541a573f9f8cfa7bbc36a4c438b2410676eaf95a29c6811c77e538cf42b205e6a65d8e9ccae11aa5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
65e45e13b1d42eaa0a15dbf35a99d736

SHA1
b60865e2a2b93c915d4f7a40c62e5c5da9826efa

SHA256
43d2984d594818b6e3e062c9e94998ec31ad1fb56e17c27f5bfd52cb6388cb07

SHA512
3cb6e0ed2ffb4d85c7417922c99893ac5df22f2f3f2a4b93db75a118e904459063460427346a143d3b48a493f796c9e0449f7169aff05d61486985ef6e387999

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a1356c923f7ce0e85ac65335294bc5b

SHA1
e2c55a6151c346a5b1c7cf3a3e943e2527a9a129

SHA256
c436134a25a3af66f4862222119b96d1095d33236f8f6852109d520ce80593b9

SHA512
5ccd26229144262f12b17ba464d7b0ec8bc4b2ed93071b6c4be57b7b02fd7feffa3bce4fa38bf44148934cb027dbf5b714f08bfd060bd3961ea431f47985910f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6a452d8467c7090737030c7d650905e3

SHA1
5b8d56c79f5cc39c6abefe1e52af59201ef0657a

SHA256
85bf59fb8769b6f3c8d681099316187998512a47ae3900bf349ea61a19d5682e

SHA512
c1be9907f0fb6b99c2ad0b167aefeee4793d6e3668a6fad8197d320478a42e1aec73f87560682627082f8fef5e9b2d30e195bfef7ee4284d5909b7dc2f029433

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b4283cb7305ba477e0626c942f178346

SHA1
92c519d470e7d9349575ab3e6e67363c712a2474

SHA256
7139f42aee2aab88d7531fede1d2b45c7d5d5f2bc93754d2e8164ad987b7f41d

SHA512
3fb3528c32ceecaa79db51742480d34485d5f4572e8ae18d1589b639e2a74311db80e130dc7eb772273e769b2afd34f35667df374ff9e68015083f278ccaa407

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
af1a2703f2abaff0d09c7e2f88ebef5f

SHA1
52441fe8ed13275944ee53720e819b54f9d7f3e2

SHA256
0f9b9251c74348d89e37771186e918bbb68fb818cab20788f40593af56513219

SHA512
003589cc7415f6bfabf92c58d476a08b6d0fd92963ef05b4185052e68530e103cdff0bfbb25014e6954b83a57b71058ad406a97e9a65caa6f843372f82d467ec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6c7f8da2f417a22a51b8c064a665883c

SHA1
a8711aae5eb8f4fb7f721cf1bf58a794f7ef6324

SHA256
72c67ab08587aa1bcd2ca620a77e1bdf996d886f582af4ff3e289bb69c26a6ab

SHA512
eecfabaf8906f78a0a97cfda49c71f3342c2c683fe4595a05c4767783102841f278182ce9629d9e7571564cb924f08a11069e3791d22a726a31d56978dc40628

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4c299564ff6a5fe95d9966fd66f72c65

SHA1
885d5c2d54d58d20055f086c019d997098f9248f

SHA256
2e5e74a8398b20fadd5e54902ddbf77605707826c3d277e9a8a214e2713dbd2e

SHA512
527e16f73f32fa156b783dabee564f8b5427672f410cf0550b42e9571e437559e894905419d2c741597a8a237ba0d6fd55c702904ede9d1eba27c5947af576e2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9065e6651d6d4cbf3cbd958d8adbc5e5

SHA1
88e97d10c675725e3fd87be20776e14ccfaa295e

SHA256
3f38ab82c418738f02f27e6f2c8cef458006c4bfba2da50c67207b6cfb9214c3

SHA512
97ddebb17176b35987418721aeb3d60bf35bd4a21f0829493c4a6eba916f7ee1c326454a18000b14b21873738557e89b16ed7bb3c13dff0e7e9f9a0712350e8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
659c1c209c3c8b1d6f6234159788579e

SHA1
8e0586350d88ed350d597e74c67582f339d383f6

SHA256
4ba649d41c39a80cd0b1389cd9d67ed9c500bba5b53e6bc57b61bd180f855ede

SHA512
86c149948e9fc97488635e93fa6204b6f82178afa4666eead65f03f4262dcce19554eade9b9047fa5a013c8d4c03e464be0493eddf8bc19b6d2bb6e66ca8c533

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
96bf00e64b192cbd878365c2fea9475e

SHA1
e9761ca46a38b2536767e1f62e771b172095140a

SHA256
2771668b31080a9bbbd3a842bc83c52df0ce7f6183fe5d622638b6a268f19ae2

SHA512
ddff07c4ed98a8445db342fb6feebb83eb5763c806a1ae207259ee8cec04e9c4b9f67f9e61b3d36ee198095e195d5188f14af2136b9050bd404af3b5209f358c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\53a80801-1524-4495-a84f-0c6b4fc387f2.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7fe621c090cbf65a7bd0178d02ba9d08

SHA1
77715a5a3d2dd71a208a235e721b339e5bb45f7c

SHA256
7737cd924b5c43bd89022807d55ca34e70abd95b0fbf0a79ad5c801afd12112d

SHA512
ac61fec9c6496b5c074b9c6478e995128b234fcf5dde5197959f48d14749cc0516121a3b64000349ba8e0ccafcdb6c0db0fb06bd04581bf03cefa308b116415d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1defa213487a36a8d266eb7f05ead872

SHA1
ab7f3191dec491b61af26131c5d6ddd4cb5ff9a8

SHA256
8d472e10ee23f2fd46d7fac9c52dc8f236cb4635960242afc2edafb16a10c7b5

SHA512
ab7fcc8f920dc8fc0a2b14bcb254511803cf0ae5b683ab44a4ba29f6904f43432c189cf103da9d68d67c926ddd88df7b946c554857b48c7bc61f4e76a1032d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b9cb2b21f1aaace9ae135a5070fba165

SHA1
67568dfe6d004acc4e1eb9b88c0058da42800699

SHA256
028449f3b4518488f7e6e87b106c31d4012875d6a355d15de4072a0a2b5a8f3a

SHA512
3c3fb0649866c7a784d68aacf7251e5acd003a7eac342f517737146bb6aa2c6a5034ca701986bc17ec74fcf0a3bbcbd4c358fe167579390a1ce4f2e1d08a0dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
164f0af48dc079e73b951bfa48fcec11

SHA1
01718aa8a656b28558ea2a53eb83162bae4d6447

SHA256
c2c31834ccc5f3d41e650ebc33101c8a1a7cbc3c917f1c3f73233de97c6606a4

SHA512
3a9726d4a6dca462bc89d5244b4aef874afcef07972d06818f05732f2f3692a9132ca456c84fd955d616821c2494ae2a2e5455d9a0c39974b2caa6fee256847c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6b283c285c37a1cb99722851560da3e0

SHA1
53acec38a8a84fd393f6deccb68c3b68d34131ca

SHA256
2fd7bf4174eadfe9023da737b120a46490446c742a29350073cad3042e7bb8b9

SHA512
3b7c0e8669c59f203bee0d21f48a32123c632474260acefc66b0d32a387ff71c978b0ff16d30933c0ed99848f9a9145d0e8847937396ab269434544c245272df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5765de.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3520ed247b17b2c5aa963294e18c7151

SHA1
c3f4aecf121c8355563d8f62c38c68abd8aef4ac

SHA256
5a37ce231b0d408a6291e66839d09d58c9c0c3a218cb61ba3a9f3dcb89f80a24

SHA512
32ced813ce92b74e84c044224f00248dacc7edb6c90861cc02a461b665ceedce16583b2be68b84eba4455fcfdef88093b1f1aea8a406ad0fe54180caaa67a377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
eb457834bac46dfe657fd713cfdacb89

SHA1
0316f98ab65f16f63c58d1333e0514881673d208

SHA256
ee908f67041d6c0fe5ad4c8dd36c96aded2d8a2fadc53d39465794f7039e1947

SHA512
a6e5d0fb056babee20e19f07554e5aaaa64a85f10d67ffeb5b83e6e53082bd69f7a86a09cdc772b78c9a138ebb56cccb80e6b062998ce0ead156189ced4cc68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e5e2bc8dc80e573e84840328b12f7aa4

SHA1
848ec056d8d98da2f15c3c3a1cd8afad67b05812

SHA256
06f72aaa5f5a35f27e8e66c514353c52f5a2ad8628563fc058774bd6d0fb58c0

SHA512
df6a041feedaa375267248b75c5808f8f6821be83f7ac19079e4c86a9a8ecf13831c30911b76a439dc7848f0d52fb5c0096e974981396b408d92100f90e6ffd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
c9eab9c5f5a1a0e972afeac6f0be0564

SHA1
8a2c518758a1e5e09d28b266b0a068d9f618d9ee

SHA256
0fc55c51cf025bb1a033b9b292ffe4fe9e83c4804dabed4ed893ed5b1e3aef40

SHA512
204a6274e795b4f7ccc6baada73a731377b58d154063ba9735a606108dabcffbae135d7e796bf24a70ebb9e5a093c88425ea3d68af9a56795a01dd854812ef45

Download Submit
C:\Users\Admin\AppData\Roaming\8acf412392be0f3e.bin

Filesize
12KB

MD5
eda86d84dea8c98700e29012f8aca5e6

SHA1
4b51a6dd97c742b739deb33a5723db26331e2029

SHA256
36782f40ac380529d0d370a2f514bcb7cf49dcb80ca48c99c838423a6b810da7

SHA512
62798a92d464029afa04066d2860ceebc82428eb0e2b653a027f60f5c1df9f1996dde1e3c462e7bbfd685a43c4e9024e11426d5233f4e71c4b68b7f1af9e42b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
25bd089694db3f8c8ba54a5303d3b7bf

SHA1
f0a567936730095839e002870f0c0feef24610c5

SHA256
c15795217dbb51c8d290e169af875efd23e25aa414b81d8b2717c388df5cfbdc

SHA512
5bee0f362017fe61e098dbc1a20ba430a3a60d0b31389d80e971cb992749d66070daf5d86d22a62ba1df792d89cface1a8d1d9eb2e3db684672391e51820d308

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b9876c77c63e15b6e195f49e02d945f8

SHA1
2a00f3dae3ace0e6db5595e27a7420d0afeb97fc

SHA256
f1453d111fde92e382ce233bda52c533dd0ed1e3fe148b39a1d7972eb64bc60d

SHA512
cc6b0db4db0eced34fd9f660d0eaaa916946fde285fb7ddcb58d418ebb2ba4e27be0a41f66f22718dc719a383b618b3846327a20fc9c0b93c66e0b3ef5f7a455

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fd48bb767bd12a987f8f2aa3eabd149e

SHA1
dd23152bc8d8a85d8f4dc7af40703d82f360813c

SHA256
43965d882f0ae9c69de9717dc1ea475f45cd4129d0103183a00862cdc11c8b2e

SHA512
6af0dd6eabef49b8f42603cf9c77289d393f52883037a379566e590e886d38aee607b1fb55bb4a6edd01619d6de174c76b0bf0eb0656d3b71eed30ef0175bd5b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
49c856cdc1af1fec2076c89adb5e787c

SHA1
efa3c8b503c6f8a11a87c95abb483fdf77d0d943

SHA256
3441405cb0c5567568a0bc2b0348fb72164619b68e4e2b71708dbb11689a0e8f

SHA512
c2902cf65e6f237276357cfcb03f86115f11380869cae4fa802c7fc597ecabfdd648be98d50c514ba7ce5adbcbd2b373f3a6279d2355f8d949972a6f10dd0d5b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e36c1dda3478abc6fa29631fa45e47c4

SHA1
3a00b936994bf9bce5e06f4a1cb6bccc6e6c5e17

SHA256
c4b91e97bd75c4f418d6c056d02cc2997eec9e250f38d2faa6d8dd166a801f8b

SHA512
dd2b7d6f6028c9c7fd70911bdade3028725f5b61281a6243b69824be653687f7035885e99cfc47293bc6ed70778d4e81c24027d36b39a70db336efc56b90879a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
bfbeb186b9acd354159adbcad7ad3d02

SHA1
245715efabef6b4764d737e99172424a038d2d38

SHA256
cd3dc84499a71248614837441d956aff5a7518f4eee84aaaba3f90db203e8899

SHA512
3c841a17937b7672215a2856a4f85f8cd85ab00ad98977aa06261531c5e695dcca106dd10c0a5442fca313a7eb9fa74d0be5270d03e356c8ea270d543510c31a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bc25926615a9417b44984fb063ca8e50

SHA1
094a79b9ff3e6bace0c5413adc52e0da7a736664

SHA256
d009c92ce0dcbc8e54d075d6c11f42a3297ce28da3b687a8e581a95c12928eb7

SHA512
c1c08f45b50470295765719b385d7d43ee048221f4bca9eb3cc45c52f8ce6c2ae765dd518c7d2bf7260ef50fc0fb3e4c6b70af7d613c45ac93106629e3fc281f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
464e980aa2e9379aca2b2ef0bc12f149

SHA1
8f9c8abb0bb0711712b086e210c0a5c0fed72b1f

SHA256
d25a23491aabe8c0b5299ac96e4cc0160de73deaafbffed2515ccc4bc8b84c53

SHA512
ddf48b92cbb232fc8e5ca92d8f4f2833ea12120cbdbfb99f8b8afe62a061f7e52911378f0b59a60359ef6e574c2d4ac900978c630a99362e376939022c03ef69

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eb0b955f5b30ba74ae2948f2497fbb30

SHA1
933bcdf84597463b56b09ce6cc73d49b15725e30

SHA256
6035e3a2f963ec94ca43d013fa1b38c828a8466ef6617e43d8b97995c23cb805

SHA512
383423ca0eecb8bf864fe03fc57bd5607783cc0c9c46563d803d3102a18cb0a8d134da347ece8c1e0e95c0897479c45019a2b4bee99a810964c5d651075c2cf0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2ed7165ca71c6a5f172bb33f3395cc6c

SHA1
fa6c2cb726b9fcb82b1b9d9219795361668eaa06

SHA256
38047b298d87bcd42058c03b19f5700dbcf64107c1c75b75bbcce31fe599f739

SHA512
f919946d8c43bc670114e2cec58f48853dcda3e571e4a2a397b36e084dd880af34abffd0adf08f124f493fa2f499f2897b8e86aa70e87c79adef7571a8cf11bb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1f4ed01077137de948b5c0a13d024d87

SHA1
2efb98bf88308df30f05062d240f56154c2cdda5

SHA256
f77299e0ec2ddbe09beb1a2cd0618b07191249a7f0c2d944dc41fd1ebc94ebef

SHA512
c91c2efa9ffb32c8de52a8bf0e2943f1258ea50f03df212eab4be9caffb45c671b6b5020cba8fb45579ba8fd3d197d0b30e86e56c78d3ad37c23ad2155c02646

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5a17e41d9713f5f116a1ba6663a67f41

SHA1
69e6eb601f6db5e768b002f6982f6999175d3e68

SHA256
630e777906a9f60d51fcd421dcd91b7e83b04b06c548031006393dc0379f604d

SHA512
0e8e32ebb4d4fc89eea94a30914b8bf46dabdd5739d8c02b71157acbe4b4dbf8ce7d769edaccbec3badee45e7694cb4d30712ad83d9d89f1e23979def87fca34

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dc4fc79c6c4f633fd71a6045e463af5f

SHA1
27c34b5dd14d5ee22911a37eab3cef819132f0cf

SHA256
62f3d0ce1d76a6bfcf0059174afcbca027d19e0895fb2fb5c29ce4aa146967ee

SHA512
4ec6693131c8a67ac1632933bf7d18fc80efd5974e8dcd4ed487c7b6e7bb34b0d97d0c46493b4859312af207af8e56b0182bf7a6a37662a01d11c0ef08ef243a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
11372e6ddffce44f52629748bce5a442

SHA1
1d1dd0dac11fc7684a6bb0eccd9a00b6c9611594

SHA256
3f2d542d3877ad3057c0e552a424a93eb2ec98e14bda0d6e95b54cbed0ceadef

SHA512
b03c2b952df59fd7621846b8d695249fe0879afa24c089e887b556100134bafe43c6f01d8303714a04ea914f6975ef19cf2dd9ccf06d5c6114995bb5994bdf0a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
68e4f3366b903f449fa1b849134c4e1e

SHA1
9c1acac50e45d67e4961817ce8f48f562e37d0a0

SHA256
a72f7ff14b829a283d6272dabd070d8c9588e99cb1a3f4032f7fbce024fee7c1

SHA512
6bd8591761a6882cc1904e3f4c68061f4b1641ff3a22810d7e8020e177a5cd94a21a5a397e962be47658046d2c8e50db4e2cce690311b255e02e607d9aa510f3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2212e614fcf75984092b774e5ae1e273

SHA1
82baa0aee7925c68a7b9a509efef1b6dcb6013f5

SHA256
6be1f48f3512953d815147a1c9cabd567dcbee75c51ecc29ad0480dc1a5322b7

SHA512
d9f4afedb90d4c955c7a5f17483bf112ea9a436c28f9bbaa8a447a864a294ca1f391542ed6bc56bd46e4930f8da105ce3108e226b455bee9bb38fc391feda976

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c40193dedb91ce9a64efe6e74896ab58

SHA1
7a502cc3dbcb42d2678b6b1838112abba0b2cf27

SHA256
5f9fdd8c205f540d1d057a2bed1be9b7fed75a039d9ee42e38acee5b328de5a3

SHA512
4bd65e1732812e4d860cc5b1e6d497ad10edead4e13a8078dff0bc8dd1c5d1919419df8d295df44bd44a71c657301c0d37b40b00302eb8512679f8299a32b3e2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5e8751a1203d6f9d8c17c4fec246ad61

SHA1
c2b94772f77764ed8a715eebd78544427188e134

SHA256
40041fe7d064a2bee57e0dc6c3fcdeb0565d7efbcecb41c126951be0da51a87d

SHA512
290834a8336fabb3425d935d0c4cceab37aafbf6078d43fd8a82ce34e987e5fdd57b43409512aad46d6b3838ec7ff2e521c709b2718ba5d8872516c443000339

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1a94acd636df3602aa8a6fe9f98d0e5c

SHA1
799b90ac43bb3f9b3da3b9cf783bade73151fbd3

SHA256
b32f28800b17e8675a9403c5b7185c905afddde956bc1e4827909cd93c48975b

SHA512
ae52651778abc91b1f807c40d5d4467fc992f02862b6e77560c847af5c4f81dad892ecc14c451894e068cc5a1b35782d66e3b6031d92bf31ae66c4d567f92a1e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
26a96b8560a4e20761846168008e48b5

SHA1
1ab4ad3a8565a55956f53ee9d82c3b650019f45c

SHA256
c2daa474fd07abe6bb8e7920abaee8a6e3edf949f0c2fc42d93ce316def096f0

SHA512
f87ea698600d978f6a67c85a42ed49c54b5830b91d3faa1ea986be597e8dbeec214049559f376e1349d7ad710664414a34409c55d8f1f94b0a7d84a1a59ec8e0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
b0d1fd6dce9984cd16683cc9f5d64d82

SHA1
29c1adf90900e48153f5f7aa017b2da7777b157f

SHA256
e28e77fc9de7f708aadfa63cbe6e1a70a8850f1b50dbfa97ffdb982b47f204ce

SHA512
88b0ef1f045589f969f29f6883219091cfb802db85cfb43d2307b19a465612f79dc2abaed89d35b71b02ccb946dc10aab8aaafb05fd1137a0c670f83370b7d52

Download Submit
\??\pipe\crashpad_1136_EXRRIVPBTFWZPDIJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/464-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-495-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/464-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-170-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/612-219-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1020-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1020-629-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1048-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1048-102-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1104-177-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1104-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-40-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1604-269-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1604-31-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1604-37-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1864-169-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2472-196-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2472-512-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2500-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2500-86-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2500-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2500-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2500-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3084-623-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3084-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3208-178-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3236-176-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3724-231-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3724-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3724-20-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3724-11-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3728-52-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3728-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3728-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4020-241-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4284-174-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4312-171-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4400-173-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4596-246-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4596-242-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4896-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4896-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4896-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4896-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5036-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5036-218-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5036-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5036-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5156-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5156-723-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5208-634-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5208-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5372-635-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5372-304-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5612-686-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5612-325-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5852-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5852-508-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-719-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5948-511-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5964-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5964-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download