bac1b6ab20150ddc16f34b7f09ad716b3dcd95baa9fcf4f85691e62f4a594720

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
Size

5.5MB
MD5

979b524beee0c6f231fffbf9f8283182
SHA1

a5ad2ffcc16b1b470a22537115ef8d7c2e0a6fa4
SHA256

bac1b6ab20150ddc16f34b7f09ad716b3dcd95baa9fcf4f85691e62f4a594720
SHA512

5e58420c96d61ed78262c3ca8a0b87983bc2cb9d76e40afcea4fe90f8b240ed093180d7903b3b32004b17cade24b9465dc88c41fd710342134ed96e7e9e0da6d
SSDEEP

49152:bEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfx:HAI5pAdVJn9tbnR1VgBVmS8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4124	alg.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4948	fxssvc.exe
3120	elevation_service.exe
2720	elevation_service.exe
1924	maintenanceservice.exe
1632	msdtc.exe
4184	OSE.EXE
3860	PerceptionSimulationService.exe
1012	perfhost.exe
3496	locator.exe
3296	SensorDataService.exe
4872	snmptrap.exe
1272	spectrum.exe
4148	ssh-agent.exe
3304	TieringEngineService.exe
1568	AgentService.exe
3524	vds.exe
3004	vssvc.exe
1900	wbengine.exe
5232	WmiApSrv.exe
5424	SearchIndexer.exe
5516	chrmstp.exe
5908	chrmstp.exe
6016	chrmstp.exe
6100	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

Processes:

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44236f792be0f3e.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e77fb6dcd8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4bf54dcd8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ea1ddcd8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610285718375525"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee853adcd8adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ab60dcd8adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c56eddcd8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff6e84dcd8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047871bdcd8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exechrome.exe

pid	process
3264	chrome.exe
3264	chrome.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
4904	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
6040	chrome.exe
6040	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3264 chrome.exe
3264 chrome.exe
3264 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3256	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
Token: SeAuditPrivilege	4948	fxssvc.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeRestorePrivilege	3304	TieringEngineService.exe
Token: SeManageVolumePrivilege	3304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1568	AgentService.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeBackupPrivilege	3004	vssvc.exe
Token: SeRestorePrivilege	3004	vssvc.exe
Token: SeAuditPrivilege	3004	vssvc.exe
Token: SeBackupPrivilege	1900	wbengine.exe
Token: SeRestorePrivilege	1900	wbengine.exe
Token: SeSecurityPrivilege	1900	wbengine.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: 33	5424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5424	SearchIndexer.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe
Token: SeCreatePagefilePrivilege	3264	chrome.exe
Token: SeShutdownPrivilege	3264	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3264 chrome.exe
3264 chrome.exe
3264 chrome.exe
6016 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exechrome.exe

description	pid	process	target process
PID 3256 wrote to memory of 4904	3256	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
PID 3256 wrote to memory of 4904	3256	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
PID 3256 wrote to memory of 3264	3256	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe	chrome.exe
PID 3256 wrote to memory of 3264	3256	2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe	chrome.exe
PID 3264 wrote to memory of 4756	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4756	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 1936	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 3640	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 3640	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe
PID 3264 wrote to memory of 4792	3264	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_979b524beee0c6f231fffbf9f8283182_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0147ab58,0x7ffb0147ab68,0x7ffb0147ab78
3⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:2
3⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:1
3⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:1
3⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3504 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:1
3⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:5500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:8
3⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4248 --field-trial-handle=1912,i,2249660287433335598,6610636714136823883,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1632

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5368

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c9234e6ab468229f156369a69630eef

SHA1
c7b7c09bdb8998df65fe96556bd90eb7118d4305

SHA256
b02b87eb85d35bcfa6b7428127821771802296b9822bc332033e5558e47213d6

SHA512
04bb1ec74dd25f05b1d24e6f3f5f44d120804eff6caeda5fe4b5fc1bce1ef4186c0e0c8fb561cd16243a70341624d39429c384a1326ff61d05effc864cf2e9d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7339f3f6ba0ddef9426e448ac59bc2b6

SHA1
4ed2f1c83baf4cba2d6cd130f14bcdeff935cddf

SHA256
ac7587712432f33bbf019e7d9b9569681c1ac0c707e38a52aad2305d71d87648

SHA512
2bd5261cef54d6169b2e66ebd576bb7be167a3d2930fc7b2853448e849f5f6d067dfd2b60d0c4476abf9a357b9257c079f099fc539ac96cab05b44762a2c1cc8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c351918e3cd8da2b3109786bb77154e2

SHA1
626f1451a82032cef76f45e7364c00b35f311677

SHA256
d52a63da55f659c9bb79e4d2bd9491840c18ad3a9b02dc0e7b6e0d0cdb405471

SHA512
42401284f1fb00c6322e4beb3698903232c373bf86cf8c8e9a1033503fb2c88d6558c0b9f8cff723b35e010142dd5c0dc3347bdc4bd4fbf4c8bbb3ab3cf50b92

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ff4beb57cc1aa81821fe5fcf1af48824

SHA1
5d6ef450fec3cbb4b4a683904db41b540511b7b9

SHA256
770c686c3bdbcdfe124790be7379aa2cc137ed7aa1a0c56402a14ac46f1262e8

SHA512
269dd26f826a55c1bbe4ef3dec0c360d085717c3c496a7553a3c9d76a8165dbababcd6c52ccdd330f0cc90fa56e746a665c430e83dba7453f2f87bff7c3cb82d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8c8396ce8f535786181c53ca9f42c351

SHA1
a47627034f088052183005054a29312d8c62164e

SHA256
66db855e2bea82e5c6dfee0a1997227509ba24ef36675b832859fee734aa0999

SHA512
ddda0d44cf14c32f455869ac72e0883d89212debbb86d7a1a98c3e588ac4b7f9d9649997acaac55b4aaae8a35e58bbd456caa9a258f16c3370872c12194439f4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cfb4e6832d669c31f72a5014816e4433

SHA1
6b69cc2edddadcbcd4e2d814c4645884a1225ead

SHA256
272490a75dcde54597dcd0a9e8e79b080af10565a63cab33656158b825dab611

SHA512
6f444d66e6c79453356511cd76df33bf38062a4c923e00e848b2173bba25299efeb58fbba985766b559e3197d62820ff13b5b169caefa6e91f5a15f0a93041e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4ce078d61e45602f53acef35b1ddf460

SHA1
fbe456f207f092f1659aaf00448b5b836d144093

SHA256
8c2fc93c66be162c9192d4f751afde876d69e4a5c8c9d30ff8143837d1dfda83

SHA512
f628fe00185979ad1a52132df06ada6958e12925b72e4f4f449e0eb4862e0b5f323a1d9de59f4819f1f6ef1e4c00191e799cb59aeaa0fb6b96a3317197f09c1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4db25c4afe52bfd663a7e5cae96981ed

SHA1
40063c9383eab739e8af793e84a9815186b4a42b

SHA256
9b4376b75bb0d4465065540a0ca8e6db74b8789783527f5876d5fc52c4b4a010

SHA512
11c8c61c679ac6a6939c28ddd82bd0942d5f0f1cdfe13661a74a7b23610338c0d3ee399d9873ff3d2224f51058749dc04416bd52e94c4ff80b8f5a9fbca826df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1ed467e93d883caf6bc6c3e9ec304013

SHA1
5646375a4e98ba81fe76b11813caa2d17ff9153c

SHA256
330b6118937c74a3efe386a951750436bac140c053b510ee14427e16bf468712

SHA512
109c682fa3c28a6f050bd244e6b894a75ed675c858439c7989020ab96b1ab643b9b36ee0b0ee02e3771acae0da635befa1050a80ebba03036597140f33f3233b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d8916f25b59feabd0692adef23bcd9a1

SHA1
6a7af0eb8d2165005e5211bfe2499b56b2ee7748

SHA256
60703469cb70c98cd96d9e7ba448abfa75fe0e6440866690ff46039516c9499c

SHA512
82ec55a7b5d9fdc996e9f3d0e0b1a90729f0ce5a04e740f1a1edcc871d70e3bd42f4c01f5ba480fdaacfff2aa6ae2a9c21a84052b14d23f9a8111aecae01fb04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
586337776ccfa6b71c9ffefa167b5373

SHA1
8662e96ad056b474fc058d9be3809417739a0ba1

SHA256
1aceb9e7f6af31a50348873984593cc6127b741157351242c88256febe35ac08

SHA512
5d64a59b67e8b715268e3d0fde3cf6b8aee290a2761d20b32bd5efcec23893fdbbc7cdd9448acf34d8878f2d5728ba54278c83c73ae8fad81d1dd4a62c1b0b97

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a3aa746317c0a0ea020c6630d71c9a78

SHA1
7b8f1a6a8b7da4c13bb796f0cbf04aa1ff4b2467

SHA256
ea0397a6483baf33d8e031d968799e9bdc0205ca665a30ebbe7f65f34a050a59

SHA512
a08ff39fcd0819cb46f73caf51473e336cc130b937612de7b3dd26c2c3fbb8c739960b9c50deb27e4e5a369d3fcc828b7a1602dfd88ec59fbeede6ae17c351d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
72d9e8583fa3395402ec0d1987a94d12

SHA1
cc6b770376e8d01d5761e06694342535ec1d2afa

SHA256
7b7ddc52f6ca731bf95c506ed9d92fb05603c4d995b9c43d87e773b3df2e50bd

SHA512
38307d663785ffde1b2c03f08093c8365a08467a21986ab791e339fdba5479145618179e7217db3edac8ea6460a8ff9fb39c1f876cede11e26705793f45d5cdf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
da2270a0353ba26992901e519ccd88c4

SHA1
a5f9f23c806c9a03bf8981ade649a4b9f584e35f

SHA256
bdeab90ae94202d0286c4a948c28dad1b1c6b5e9097ae56b60d5ef247ae84933

SHA512
ee211dadf6810f6b143f95dbf972bcebfecac302150edbc6a59978366b14b88d088b4559c7966afa2d149d645c1abb951791f2e12fad33dcfd41e232cb6c2ccd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bd540a4898aa54146616145c5e1600d0

SHA1
21792450c3bf9cd591289103f4b8e5268dbd3a05

SHA256
3215d7096f74cae6eadcb152eef7114edc170a9bd02a84ad49408f3a9e2f27ca

SHA512
1042bd36d2926c4c3d344e3b634e47f530474d537929f94c7762cade61c92f1184700ee01b4c9d301be488af53610aa739832816859fc312700d80228128096e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9d9194f5d9e62c848caa0860a56569fe

SHA1
841bc1ece057ab532c13bb3536d710ff236cace2

SHA256
6f4b47cb573baacb616b27c6d82b210952adc425d6f739751c617c99ec11f0ef

SHA512
31bfbb17187ba5cadca6ef45cb1a894d679feb9e5315b9e7008408baff018c13a916234c59f1383ddcfeaa88f3f77639d4ae522f346d19b199fb3c97f88804c7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\016bceb9-351c-4e85-b10f-7dfb46781013.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f228518a52b09b9cdd3098dca7327c63

SHA1
89d11c109c99ec3bb27dd68c65ce0626be13b87e

SHA256
cac0d031645ced4591a0e2021a49f1f9eadf25532bed8179075b9560c38fa834

SHA512
0dab69732992f0e8336472169cdc9a6081559a077333885a956db217cc6ce43c41aeb625e09d4d27c9bb6af897fc78f891156267e4c4c53dabdefb448227282a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9b061f2c53bd2f0d75bb4d677f9daa7a

SHA1
b3034d318dd0111fed12a4396754d431e6517ea8

SHA256
09fa7634f6305167252cb4f0f9e6a02182f155417d8a5f77d59ed66dc6380a70

SHA512
e0e32a48de5614554a3b9e598983aa27b7e57c77ca2450eab58df555efb63191ded9b4bca8a2ac824f3efcb4579ed200468c71d3c039fb5cbdb7308d0bb27a46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
94417254b49c85e8b2babc2675763473

SHA1
d55c252db59d6cbbfc5e0a8c4ebedd8d303be131

SHA256
60b28ce1648e7748fd981eba0e2aa5d28323d34b100a24c203938b4c176a7384

SHA512
fb5bfef6294c42e784bfe79b25f51398cdaa9f4a36a1df128ac1c6e28e6aeb598b79b4192cfad55c4159a8992c61bb980c726927e937f9d3e2faf77b04680e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f71db131bb2d7ffcc7a3b38a7c4f828

SHA1
701a8861a15bcc778dd9f12fdd5d42483ffca5e0

SHA256
6d461d84e9626151bb0e0a871c2a0fc5dfd423a95758b53e0316513483c0a456

SHA512
9afe2265a8d667613fe8779b2f976baed5f49526ac0272ee1484d9c80bba8a8f58dae53447cb790f3e110476a16a1875961a15fc6e35fe072678533c9487e0ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cd44117af27c5a93ef394a55ec4ac50e

SHA1
2bd116e3e69848c6c6358657568888aad3e97267

SHA256
9d31816a950ac18f122acb69a15b503036fb044c7c0ed8ad1400795f2b89c3fe

SHA512
8511a46c88f940cdef20f477d7398c04873574f8da2dc71c1a2c089f74cc96303ea099b24a9cae335b05bbb122bc16c61063178e458006a75fa1f87555184f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576050.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c28280ed27f662743590ac77947f49cc

SHA1
9570d3430f6681fccff709d8e34603f6465ceb14

SHA256
b6548a991999ca1f64b15bcd2b7faba4c91015b274647e9ceae5241d53a9b3ba

SHA512
40ac526600c41b179347e831a06490bf886649166e77efd1fecc03a63ba472a7626b567ce48e1e09e7309799946812105fd9f041aaf93850c8ff51348accb613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
b28e8e6a641a79f39605293bd8dfcd59

SHA1
8e80313c05c0df3aa4cc35d23f1ca8b2c104a83c

SHA256
b1614ba052240f5bd897060c0eae5720744e1d04a3f45c633f758cc0c2f2c56e

SHA512
89b307f114e0e59efa10c1ed201fb5d6d6525e3a0b172d73d1b8a274ba190155aa3ed34030f3ee19abf03cc374e5ae3b8f3e05a2031cd4e3e2155a9b6c824808

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
eb26ccd7890159ecd8934cbf9fae459f

SHA1
27914b709144a2920d19540717e011a2cf6114ef

SHA256
b002557208e882942be3c438d3a2f9a6ba4f231d2d4a9a6d75cb5be88c512002

SHA512
f6f4c8c412d226209c92c63f427ad6b4f72d2e63bb5e7c429b62fd27e20dc9d9eefce6d890d2a378cda09d2192ce1c4f185c2fd67a89bc81d27d4e9c0242e66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
6c47d318947c37176ccb289cb69abf90

SHA1
3aa65d85e9546b77d817d864c8877976c0ec7b8b

SHA256
4ce4025f094dbf7346d3ff77d4f772ff8c114fb64b4e6b7547fa501ece56e66c

SHA512
f0816063781735768bbb6f318a19be9f1ab223d655660e74fee7494fb795e7bff4d2652d63c506c2314ff8a869119eaedbbc08a6f3d4dd1f54341cdc3fe90349

Download Submit
C:\Users\Admin\AppData\Roaming\44236f792be0f3e.bin

Filesize
12KB

MD5
6702a9c1778e9f18478389839139a2ea

SHA1
64c2615420a07bf2af3080adcfff3ac05299e097

SHA256
bac9846b4e0c6060ad6151100ad576240a6c27df40d4aa5169cba1d5ce88d132

SHA512
c8a571a612022d7ffc3332809703ed32f21943b065f589781f82f7a488c6f9c435affefa2e58b2edac98a8015a4f6f138960bfde87b0de87409ea6f3bf05ce1d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e473af5960f520584f20eb05344a5161

SHA1
c469a9c8651ed4b70725d5fe00ad8a5175b1b11a

SHA256
490b00038b52d9112c3ae6b2579bba6671957575a61779d927f2ef4ec58a52e3

SHA512
e232d4c304afed357ec1831a6e8a9ef6c96bd986c6a236cf231748bb94764c54ae573b9ecccc516071c7e9fbc3f15f1c4c761bc851014ab213fea67901d62a1d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
80bed07384d0343c4043fc70ef745aae

SHA1
a7efff38baa5e6be399eb8588fee51e74e8e8d1f

SHA256
0555ece3c99ea09c938342746df556100fb622915265afda1fe5d817282bbee6

SHA512
d4c29e288220fabfbbc88d9b9dc59b5b2e93a25eee218702fd4ba632882c6148704325765786546c47c67cb1990f82aceabf0763df64b3ffda67d7cde09658cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
837f76815dd0bd7f084d6a826808b234

SHA1
261271408b6c6cafac884fd49bd19b4cf3c8f0e2

SHA256
97dc0b90376e80f527cdb5c545626630c6c2c03c9b1458f303c2166571eb16e5

SHA512
6a8772d7e727d93a0a090edb8e7e3c9d04f70b03627e5a55a337604db90ab54173cb11ca7a193b7a76f0d4d236b69b16819d9f9bfd2be483b3f276bc9cddfe57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5ddc3ddfc55922264f235ee9cd13dc12

SHA1
09bc7f2e3e5246e692b3ab4d9d140c5fbd189db8

SHA256
033e16ee118d9e53f40f0e944aeadc8b98fcc96aa5805dd2db19be6ff8f91f2a

SHA512
966eb813ed6c20ff997c4a5393861e724aec2f4a1eb6093d132d78429e0041cbfa37d43a4d1a29576be4cb69ea13db6fa2b71b5c075d68437e5c4ad2d4b544c7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
37a46e9ae85e3d02a2d85709a8a6fd54

SHA1
f28a2a3ebe1258f88ea812698a1102f0674b015c

SHA256
f0c22364f58cac1ec03a71fd0e765b458b82d9adb1d509e56c0bb2e85482e102

SHA512
09fc7ad1ca01f244447d78ecf8cd950ae81c2727b64d61caf0c6297ba983c8d7f1ce954a684a15f4d482ab62d7f1c9fdd2a4fd58f958b2abf922dc85f9097cc0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
60f82310a59e3d1f193ea70002909143

SHA1
790c59f05f98868d1bf47a34154d3a266112a976

SHA256
e03de4f2f9c1d8c352ebc48f934b8681a669a0eaacc2eac094b5f453f9d74665

SHA512
04f9bce398b9ef24c978f9120cc2624d95ceefa7fab03e8010bab4f4b1e209412974311f9f1ca7bd2768b54780a0b58e43b2730c242f9b86809c4e9019af5727

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d37fa6620fc09024584b841d5008c34a

SHA1
41123c8987243bb06d0296b10fc7fdde574ced2f

SHA256
a4edb24b4ce9ed51b00be5e3abb198370c06c3a38154e67ec06d3fa8f17ab121

SHA512
fa8247a493670d55759de41da90d73d5babfc564866143903a9cda2096cc10bafb675c753a2868905dd6f94a02200c8f112f79659f66ac2df5251c865ad45115

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
878623337fefd8d2d903a9ef8d13fec3

SHA1
6810fb231782d580b4c9dd24a91b15e15a2159dc

SHA256
7dce244690aadfbc3c25c796a243bd2e3f7270ecf1b84fca45ebd8f8dd6cad7d

SHA512
610b1b162c0adf8d9332c20269130bae735896028c147e4cda0406985d539d0e573cb926da5244c1b75fb0bf259900044ba61301c775c73fef4f4e38504a0ea1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b444f174232908a653147cc9e446c962

SHA1
f1048dab84031bc15b7c5bd0013fc22fff403249

SHA256
711c1f35964a3d518d8d5f33f6fa51bd0412f0c187a24adad12288785dc77501

SHA512
0847242651ce30f1bbdebcb4b5c34ab609020853fb38cdb24ef21de466aa67d9ef4901ad3e7d9360b293197e9580623911eac2575c4bbd307e6e225c8076d59e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0db41b9f7148fd5079e1d29ed3436b7d

SHA1
ffb0d6ccb56a49c274bd379e910a70532b410d70

SHA256
c22eb157e019d54d1f7fb63c5c8e8dfcbba2729f1976bf980c250cad0ff39cc3

SHA512
98996302644c293ea894159adff236104e94055e38d8bb0a4a47b2158af29c35a22b4332b2b281028562916b0fc607ab662e95e4cd76c2d4cdfc0a2884b2c60b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6cbd8a6182bfd892b95bc1ceb86e3ff7

SHA1
9f81ab0ef247801b96c637039c52a6ee08855afc

SHA256
13906e940a3defe58f64d7b547f812b5824b6cf6ce0071eed5ff90f431081c02

SHA512
ee2b708d66bc00d9f91390511b8ae2b98bee4a5de57e579c9bef90e2c1db998f819a55157292a96d94ea5162ad970fd7b4db417302532f2ffa324ab76efc90c0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f2518f5b4dd7dcb3cb5490f756d34821

SHA1
3a6e2ceac9ec5c38b6360173cf628c930a8fd9dd

SHA256
21253ef6050983c84d429960e7c5d1e45982dd28d95dc6b82104fb0f431d22de

SHA512
2bdf2e40b28e04a2f14c3513bad0fa16725ed300d3b4b1cb76a253a1f038465e7b94df21fd76f67c43c7a0bd26fc6c355d64b5675c5a4030362436eeb88cdb65

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
21bd68323bab86e2a18323fcd241dbba

SHA1
d4739db2b2cb48e56af6fc5d06da573601b8b60f

SHA256
a9ac89b7e251bf1e16f9cf7bd6e0148cd6b6052c80e56eb563c9b0a03dd7dff6

SHA512
931a1783d79dfa9b03231d8af02581accaed5b98f2a61a2821fea43546eadcf1ae313abf79a0d94b98db7a7702c8965db3dcc811dfd4efa1c1574008f7aab6e7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e0768a0eae531827aaeaa53120c3f605

SHA1
f6fd58a3183366be8cfb450fb7edc260f0bb5892

SHA256
e12823060561a555b8632fe8749083479f13cde8175791d9b036f5d2795e0a47

SHA512
ec955fcc56e98f4261642a82dbe19cfbf116662bc357029e6a9e5d885c8af17a79fe707ea2c1c9ce0889f64a32d7b1b18b49bf429b33254af12d662deb3faf89

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d16bb03b556a7f199c8b3b244ae26602

SHA1
f8c0dbb9399e20dc6eb2ce2fc8d26c00c7cca813

SHA256
8949b11b15059a3c179870d6fad4c37df2ac2c7a4629eb07a5c8951cb96e5a07

SHA512
3cd6cc65e0b2db2d6042efac7baddb0f7e46c02f99eb063125e6a22b16e4e66e8299cac382faa9951771eb055bf4ca6d2560bd63551b67f733f54b334c9f5467

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
419c242227b33c20b79d6ab7d6b99a59

SHA1
5a3e93d68fea13e23c92ec07b535cc6b3ed5e6d4

SHA256
776a899b9f269f77c8fc6ebbe809b37bd4925297055f013a36d4c868d9ff66ec

SHA512
b7c492ae7496fa94928646364176fe911cd457e51bcf040e3167384fceeba94010c83e5f1813e184f76041219ee1048e44d526d5573c415d4d505aa156ec57f5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
53709961d14a24015e9990ff1e03f218

SHA1
e46c9ccd89c921060d6b11c8e746cd4ee2d8a91d

SHA256
4ef476fb8da97ec634ab4e1e0217c5e441e152e6c74c90f2657845d542ad1b79

SHA512
c7292151c28c9a190834c8fb17a3103a7a173d504632eaf2784ace81c4fd10b805427c31a58c9d761080a08804c7eafca2482bc2852c9deb291396c84999eb1a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a29513328b15524681ddbd6de9f88da3

SHA1
bd769204256c7be6c0371963dda8339678906f84

SHA256
03583d3919a3ba60dc7add07cba252fa26880f6d935fe00dafe810a2c1f176b5

SHA512
d40aae8dc947e1083f7f031d424dbe15831a7c18aceb3b5fa6f7446291888449365b7ccb6c19a577ae2386b03b96fcacf278eca625cbdd790792ea2552bc3b66

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
518dd25863bd5ce8a4442126c53cde44

SHA1
0428058785e677848dff0fc55db5fefdbbc85936

SHA256
1d55507e30cab2cfe267968cd3af4158c91444fdf1931252904c5f6094c9c9e1

SHA512
d216d6a813328f95ba1fd10dce5342de4f02878f7ca6a79de994c46b9f1fd77a252f03cd4897fa663156fcdeef7bfb7abd4fa6c372b825129f0eddcb0b15225b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7b41996f03181193f9cc3c0cbfd76278

SHA1
070bf93bcee8a06d706a8962359329a4ab2fa336

SHA256
4b7212663e8775be759d91959f0adcf5bee34838ce445c598ddc2882e40ccbd4

SHA512
440e1d3b62cfbe07127272b883032e91d1de74f7a0f79fdf6456835f43e2b04daf8b4b8273b6f2e8dd774134d08022d081c1f61ae1dfa2a8e851803bcfe76a68

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a1e3d98e199b381d1925d51d578d08f5

SHA1
804b258dc0361bb71eeb3639eb541c5d6619a24b

SHA256
1bc2b307665f31b6807b8b522f0144276d1a6e4a8fd3a15b9b0af4138ae7c1dd

SHA512
eb7a324fec46de072326919ee8b762a63cbaf50a3cf6585641e88d5a2ef8854dfc0b73df8acb17c421dd4cbea4021d96de34feddc722939009ac02a2404dd248

Download Submit
\??\pipe\crashpad_3264_CEJOOMBTDEKNTCJP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1012-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1012-305-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1272-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1272-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1568-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1568-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1632-107-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1632-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1900-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1900-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1924-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1924-89-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1924-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2720-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-97-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3004-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3004-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3120-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3120-72-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3120-66-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3120-100-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3256-6-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3256-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3256-44-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3256-50-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3256-0-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3296-639-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3296-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3296-196-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3304-255-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3304-546-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3496-317-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3496-174-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3524-636-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3524-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3860-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4124-33-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4124-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4124-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4124-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4148-528-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4148-234-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4184-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-36-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4472-208-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4872-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4872-502-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4904-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4904-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4904-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4904-158-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4948-55-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4948-61-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4948-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4948-75-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4948-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5232-651-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5232-318-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5424-670-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5424-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5516-513-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-719-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-720-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download