1200a850cfb01dfab244902e1d70244df80d8572b91e19f69a057335745483d7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
Size

5.5MB
MD5

4e049ca8feed9b78e5559d7629305585
SHA1

b64672f82ec20efe0191be72b5e0631594c8f2a7
SHA256

1200a850cfb01dfab244902e1d70244df80d8572b91e19f69a057335745483d7
SHA512

bcccc4cb69fa59b005b8e4065ae9cd45002b62ef4d4f5a61bb1a5bde2df4c61371611b8342f92b10e39a20e76243c0ef075fc41ae43095e01a34d8be7ba7a710
SSDEEP

98304:7AI5pAdVJn9tbnR1VgBVmhRVlbnP9WXW7H6C:7AsCh7XY4HBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4388	alg.exe
4332	DiagnosticsHub.StandardCollector.Service.exe
3256	fxssvc.exe
4700	elevation_service.exe
3264	elevation_service.exe
4052	maintenanceservice.exe
2372	msdtc.exe
1652	OSE.EXE
2380	PerceptionSimulationService.exe
2004	perfhost.exe
1488	locator.exe
2704	SensorDataService.exe
3144	snmptrap.exe
4848	spectrum.exe
3696	ssh-agent.exe
3968	TieringEngineService.exe
5096	AgentService.exe
1388	vds.exe
5100	vssvc.exe
1636	wbengine.exe
2952	WmiApSrv.exe
3124	SearchIndexer.exe
5000	chrmstp.exe
5680	chrmstp.exe
5928	chrmstp.exe
6012	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52ee604ec8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

chrome.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009e3910de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d47750de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf53040ee2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a713e0de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee8b3d0ee2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610325170000820"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d206e0de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a83510de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039cafa0de2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013fa470de2adda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exechrome.exe

pid	process
4192	chrome.exe
4192	chrome.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
2460	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
4192	chrome.exe
4192	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4192 chrome.exe
4192 chrome.exe
4192 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4788	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
Token: SeAuditPrivilege	3256	fxssvc.exe
Token: SeRestorePrivilege	3968	TieringEngineService.exe
Token: SeManageVolumePrivilege	3968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5096	AgentService.exe
Token: SeBackupPrivilege	5100	vssvc.exe
Token: SeRestorePrivilege	5100	vssvc.exe
Token: SeAuditPrivilege	5100	vssvc.exe
Token: SeBackupPrivilege	1636	wbengine.exe
Token: SeRestorePrivilege	1636	wbengine.exe
Token: SeSecurityPrivilege	1636	wbengine.exe
Token: 33	3124	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3124	SearchIndexer.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
5928 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exechrome.exe

description	pid	process	target process
PID 4788 wrote to memory of 2460	4788	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
PID 4788 wrote to memory of 2460	4788	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
PID 4788 wrote to memory of 4192	4788	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe	chrome.exe
PID 4788 wrote to memory of 4192	4788	2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe	chrome.exe
PID 4192 wrote to memory of 888	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 888	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 452	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 1304	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 1304	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2108	4192	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4e049ca8feed9b78e5559d7629305585_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x29c,0x2e0,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b7cab58,0x7ffd6b7cab68,0x7ffd6b7cab78
3⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:2
3⤵
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2084 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:1
3⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:1
3⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:1
3⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5316

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5680

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:8
3⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4696 --field-trial-handle=1892,i,8642023597344049046,16917164909767927327,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4388

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2704

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
1a0258f011fad4c3c0289d52621c48b7

SHA1
909723ea5addad514f7622ad8ef22f98e6804fa4

SHA256
118053e7d9460afff2ae525b6de746915eb79a2cc959ab4fda35ed8fde481919

SHA512
517eea3033f196118512d69b067935458e14c0758b09e3d92fcb2b37330691b6a2f1cb938c27e78fb0234fce245b8da80418b3bc1f655660d5104751f1a9837c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
769b7b5d3811722609f334cecd0d0204

SHA1
841ba547b5125c4cbc76789166f327d316099c8e

SHA256
6d76ad191b0d696a4d4832a39dd7330060b984a47478c9ffe310e2447d246d0f

SHA512
ae7ceed482177df68bc2447c3598d0efc4fd9414485da3c3abeba306f5ac19e3dc8bbd3d3168c74e64863ff9f0e138150536b6d98898a45b55ca28f726a9c06a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
ebf5772a6d232fb605e0e9a44c3c77bd

SHA1
555cf5d21d163b7842b2ba4ed8677fc67ebe20c9

SHA256
61bf5b9b63eab93651cd41debcbb6f9342295b550196744453fbafb6bdd63788

SHA512
5f5f6a4488d7ae903e38d25583461f19dcb3be4f5b648cbdd7319a59f5b3764dd5541f2f2f047ae0997ddfb47c0433142baf1759235e5380e8048ccbce1ef01b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e256525980db89cf171b4fc33f10aeca

SHA1
9f23b533d32e7532ef3de035498aea3582e03909

SHA256
fa118e923c331f6157addae0eb6e91ca6ce823ed524aabbac7bed56ddc34b019

SHA512
d4ebffc65d2c190dd8088315b30f5a25cbfd711a706136019b5058cc77eec01821e2287b64ce924a94595d7a7935e1fcfc335fce59508dd18ae5e024de69f480

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2b8f4c8874623820c4739823763297a9

SHA1
eb5e94532fed040fb47910d8261974af3b226c4e

SHA256
747a1b4af7cd2539e4655ef5a535fbd52dcfa00522dfba2d014766b588b0f162

SHA512
5e1c218d4081d042c753647f0cd42c1b438c486cc88502319a54be007518d4aff6cd970e1ee9d7d36ba438f79c380346db5fcbcdbad6fb03f56eadc761e2a98f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
28074bc3298c60facefd11d6e3c0a4da

SHA1
193bd9dc85045bbf179bd7b4a7ffaca412e52dbd

SHA256
d9afbe06646bbdcdc0838a1d91516ba325f67fffe3e61f3478944993ead2124d

SHA512
7a171da873a673b37604028c7177f8a29ce1ae7945b9c19d07448efb9e22c33b51a06ccf52575298dce5b44bf614029067dd389e563d8ff05c13b89bdce863b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
216903d7bf416d116b0d468b48afa501

SHA1
b7aec6224fe854b7077cd7d47b008d5e836cd60d

SHA256
a1816c43ba2eb459c976169613acb4d40c72f8ec52ff467f0c4a2b92788c6e69

SHA512
f7cf2787ac5238b1248819b2a362016b6efde0b7c943e0f983aaf2018c5462a939b61fe47032f6a028432a5d32d79704b2a9a083f9c9906df0b5aeae2805e06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9d74945e8b45c844711e5ef023897ee1

SHA1
ca981a7215307414cdf810b14418efdbbdf8f740

SHA256
20e0905231679a519cc9090b43ca13f826607753ef076c6166d4438072312af2

SHA512
fd681414994394aaf84d5fe26b5217fd27fcbecc10a60eee31643f7b585be0eee792d99c88e2b1192a0afe3f88ae6ef7b5fffc37aa2dde3502574fb6abc8e387

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
7f2e8790f4def3997d18d3c2385dae9f

SHA1
c4510a36f1afcc9cb2e07c8b15e0e4e667a5c9d9

SHA256
a5cef4a3f5489bdf8f77f75be61979cc1bed1b8a38a7d8176d1bdb37884e2cee

SHA512
7162e943b6b6c7bf451c2e11a1b8fa43b292f379306386a6383ceb6738a897aadc72de04e5a8bbf7991c579fb914f2fc0cd1e3290cca59436da65f5cf1996e05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2fd22f36f23a0675d0f33c23cf377377

SHA1
39ec6f24ba95f90abefe04e08ebe5574d2fee989

SHA256
eee85279185398a40a4e63a23492d85e87be2faa6ddc707ac7d19382d240c443

SHA512
177596fc7de538a8a7b4b3dda697d1ed950431411435dcb7272ca1f30d9772869e251e2ff9b88fe6100928ee5c0e8aa7c90d7c9268ee03be5eb4d3f1bcb37299

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
0bbc95c898d5b8397d8153b6551c2d15

SHA1
da1053da09e20852467478adf7e097332caa1c6c

SHA256
282e24ff8589c592f357c36a351b1f4f0943ddc7a63461fd727f88ce1ddb7b9b

SHA512
d62645c05df8c27250ed25241268950433692e1ea12c5dae82d75b6971758bf76b78b84730312e631697cb487324212743d5e7f35e1edabc6b17243163771532

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2aeb6e1d4695e6d6e483410d316e0c20

SHA1
7cc39ed20da7801cbaeaabd6f901b31a1719b830

SHA256
8ebe02f1ad6678c4bd806711188fb920e2a4536070c843bc00bf5839f7b6df89

SHA512
084be4407dccbeda938a069d5f0752138c1ba71568037a09297d2339560eb0e42633a2c64fc54c2560b1ac7173cb755de754673b5f63f47598c269022f600e7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0a800a32eb8702ff10627689168af318

SHA1
4933d055a8fda934a6f4fa306e08bf9d6652592f

SHA256
8fc6b1f9a79ae99947d43c0116e9f511ac3a736fad4c889082fbb5483625e9ec

SHA512
0f615861555cc8bd6e57de1b0b10b73c4093f2657eb395534b93da0d01623f3d1e422b1798e5e1cb09f2a61e0fb64be6c86caae64102329d02f711c32fd0a74d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a9647bd2-038e-4ed3-a8bf-894b4024b8cd.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
80c8f6787d0533f2ed0f775a90a43f62

SHA1
7ff5fa74f648af29f9cea4ae2a76e15c38754723

SHA256
9f56f5ca3ce8e732d12853194317e6ca8e203df58b5d57c49935f0d5d1eba127

SHA512
7f719300a3387a365499baa2a714c363a4d4b4e4091f1e496b20e7d93e4c196508c417097f64fdf77561e7ddfdbd0524f890d199fb24156cdbf4c82b1fd563b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f381b4f-f842-42bc-aa56-2ccda03773e5.tmp
Filesize
16KB

MD5
dfc8b4f14c509d7d8371e78bd1e719ba

SHA1
16aafe90f430a2618758d4d1674afd852a0b6f3f

SHA256
1359a1643a10b3743200ead03c9a9d737a09bdc1bb39753f40d88f0344f94a9e

SHA512
1b22af8a0fb9a62a25c83c58fa1cc305ec4fb3fb5c73a20783f6c8d86c6f0c3f84e1f6bb7aa2628499d416a7c0b9aae580de16e557573835006ec9f4d620353a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f8e23d671f0dd0f0d6be76bcfe904fdd

SHA1
c8328dfe641c34de83e50828de911a58c7117076

SHA256
a518fc86bc9fb7ac4d02bdcccaa80cd0c38ef7075b42899fd4bd0cc68cf4b430

SHA512
3b91a969423b9606f2f104a1f1a8e8e70621e0090743bd107c1ab5136d750c85a93f028e85279a96fdf576fffc43db7e861a6c21eaa4048fd14e06dd4ce2d245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
37875255d12a561b38100e9b3aadd50e

SHA1
e921aba3275595f9e4eb98018878343ae7c04e48

SHA256
b0c97e936a8b233408b2bb211a16c5dfe89a2df9504c8e72a1c66b38225ab703

SHA512
d184ab72bdf616f125b01dbb3703f89eedf0f3be281d4d945d4cb9ff9b2ac9f4df4f789a1d3533e06c0f6417adf025fafe1dfccdb4e4689b5e6db2759ef6eec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
eeef85a61931000919edd687548cefd6

SHA1
d00726c4f82acc1450e08f4ee60e281cd559a24e

SHA256
b96d01eb2a116e1e531a543f54394bacf1dbd1aa7d3c018958490bc10d1bf11f

SHA512
3cc3e90d5fcae18e6838f135a0ceddf347bd1182eaad9fcaffc12a03be8ffb916aaeacf1fbdd2e41b8beec71669e38d679213b8dc7b4a9ca37a423c74eb818ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57ae9f.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
5f7e8580914c0a6185aaa2674bcc8554

SHA1
5212eae2fa6a9e814dd6efc148954929117e3d63

SHA256
e09ac0371d99f6a250aecbc32f524b6337fbad9b3145cb0a528268b329ec217d

SHA512
6e3a50415196e1856f35dc73ccb5b9abce028a20f02c85ce73daf0b906666f12765ea182276ba974c5788795b9ca31150e1865f99df11f7ad88fad0539e5bdc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
2ff57b694537826dd06bd92b2a2a21fa

SHA1
b4afd93942d15741e1701c3a8d37e9173bbebb41

SHA256
5599e5306023afb7a8cc2df329c604c6698f2df23c75a09df2374ad2f3931269

SHA512
9df4ed8a1904b9ed122ff4c70823acca7200763907a60eda5b3a94752ea2905a4f4351651342e9ff5ed90c9059b757a08c268722f5ddda8515730d45e9f2efdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
d1f23e88298aa860a3e4b66b5ede24af

SHA1
0613dfeb99556283906527f060f53c615891dee6

SHA256
dd2618e63cf101c304bae70b4479b0fb98de32fca68b13855052bbd87a473d42

SHA512
b0a0f7722aad30b5127763addfff9b0a2d9d4ccd950d31206b5a8a8b15be089544c90cd14bf37c8fe8d59fbba164ccd26640e31a01393298c974480f5d694a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
497caa63f4dcd5e12361a4dcb0e6b029

SHA1
83ed14c916931af491100ebdd0e3cbf209ff10d0

SHA256
93367b0601d74cc1daf4321bb73e21f4bd5bc8ac807fc11755dbe543060ae53f

SHA512
1e58e53e54533fd34781f7374b505bf433bc6ea41b0db66517100bf2839e5abd89a5b34294b59a5efd91609448722398f72da7cb0473e65712e0fa6b0ab5b247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
9cafe3a19bafcf5d38ebd2b480a9742c

SHA1
c891dd7a9ac0b0d5c22f25fa75861605b7cd7ed9

SHA256
3854204a81c2bf8e7292ccb37b257397661297c369f64fa40313d5e359e23850

SHA512
e9166e5d7290f89cf5dcb140d171c3b9f80a5cc9f1176ae80819209f27450889292784cea3529b1ea6da6f6060556127df7a2efeaa4290e7e426b23b75b77a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58241d.TMP
Filesize
88KB

MD5
d1a695be3364cbde2325c4afffc317ee

SHA1
b393db34fb305b20c1d207e49f6feab2bbec8832

SHA256
0e398b2e3e8399045a728a8d29021a36875c75cacef62ffc4f8c99b01dcc99fb

SHA512
2de979fd882e4ba48f51a395019ce8eb86e723b538800fceab5af9db17250c7eb01417843831da699c25a5d4be733c0d7ba7813bb0238966ce9947ee0919a492

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
383d93f8bb3b2b8bbff8248f2575eab7

SHA1
2004599ff6bcf97f48af8af5d9997dd71e24be16

SHA256
c96c2a94a1274b2a00303f6db6ad903acb911cdfd3a84998e46028ced767c788

SHA512
7d87fc276908b18f6156d6e3c57e1ae01210c7695d3675d68d1cec5e8bcd4079f9ad710803a18b2e0c43f425412f20dd405fb345481818e62fef8399f66e3ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
6a2cb2605a0ff28d772a1607791ee2bc

SHA1
ecb74cc12a2421d7969e20b52b1c940031330042

SHA256
45e8c52f618964a64e6b41037d5b6e95eb0276dde52c15e423714cb379f0cd78

SHA512
6ac32f3cc2d09c85485454a54844f989df61132cf4a4547bc9985ece36827027c8a836a95bd98a8a6bba9524af3cf17df109f9fc01afdbfb6d9a742f261681ed

Download Submit
C:\Users\Admin\AppData\Roaming\52ee604ec8648821.bin
Filesize
12KB

MD5
80404b3f502f97e193f8e42960f5e853

SHA1
250cdfa606b2ab0556f0f5c19a71582d6eb36bad

SHA256
aca9d0ab6a379d54dd8870bd9865233fc94c1defa72cd0940e58d07d079f3052

SHA512
00d05c09be8b5846c0fb48c2da7d76489d0fd7b84f0772d025c62d4544c749854d55d3e842acc68a2a5dd7d0205beb6297fcdd78865bc54ad4795bad1f79192c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
58317c13530eefbfae47f05ebd0661ac

SHA1
d6d8ccfeb1c66657e3ce81c410311bebd8f12800

SHA256
c4a86e54096fc5726bddd3859e2df494fea9e93236c02b48068c81541dcad97e

SHA512
ca545922b28bdf36c342c919b24cadca4ba6b5474a29813d2844985917af2a558a1183dc92bff79222bd5fe019de18c83c0eb1e45afd753850ed2c83d9ff7477

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9964d986208e52bb89dd21f944931a0f

SHA1
3821f2e89edbacaa769b4a6b31b9e030e5449966

SHA256
462fb0f5a664a532e9f809e562e6f5d3e08916f0c8f9e8ea41a0e7497837546c

SHA512
ac2fd900ac8a6d3a0b9b64b903010e477c936f7679c01ebb1b8c64ec7efa3e2adcba88150f8a3cd75c5d7a05660b001623a01c5a00cc04f0b972c4ce857cee15

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
c6586888fe87fefa5d54df020ae8f643

SHA1
5acb2dd2cd868de1a27cb6dbbadbc2b6e5dce5e1

SHA256
0e4dceaeaa48bfdcb9b4a7ed397f8ade35fe98951c9ae1a121d7c27883bd112d

SHA512
e2651d2f5289d47d96ea7bbace14b9cd828d8e7be98625bbf2db572e6dd98af3efa57186a238c4c4236e497221acd01327959c215598e59a13e8d2e3a3f6fb76

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
0155b9e82ab7cf7cf740927775eec532

SHA1
4029a4fd04de36a2a8ac82b22154455da17d682d

SHA256
142d180704dd1910d2f88dd3c1a4edf0b58bc9b054268c311895ef4f518d5953

SHA512
f9665f7ab2b8c347cfb093dfa1f5bfd3dee80c2b66667b82ac97212e7cc794c61bba40fa43ded6b0fd48143414a4b86551f2832942707d3e552699b8a8f1ee0e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
0719ba516c882a97f53780a0a68f388f

SHA1
0e895992389cf16ffc0f26148791225159214053

SHA256
9e0f0fc4506f7071b1def3873e8decebbcaa94ad53d66e0dc809e63b5e7219e9

SHA512
c277fbb9c344bf9c75c14e5dff3b452c97691ab399a77aa58318bda8e55c5e48cdc105f15ae9416d80b9a99fe23e85a127703c681c4ac21af5e54acc63165272

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
4eea719a885fadf51b2a33a3116c9302

SHA1
833281b3525ae5ea1e2757ef82e76531ddb1df0f

SHA256
ef4143ef93ae7adeb68adcbd330009e41b763b06fd68447d3f088a73cb50fdf8

SHA512
24bdf1506bc9237f46de4a7589f81e42eec0d6431d6aee97ea63dc66a77540136850b292b853766183180eedb1ff63532e5ed1107de9fe8771af5f2f37a25aad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
e17d5d6d19e2ac49cef9c4650b4ed6cd

SHA1
284bb0a032e45f63b2657b9f298fd88ef0c30709

SHA256
1d14a83203bd123a3551e21906b54505a66a1c3857a50da325d806cb18e305ad

SHA512
0b80d18815091f9c9f69ccd0826ba7a87288e5095354c958b17a75cd179345a8d29a761a276fce2b4c36c0e2ffb10188f23753841d9fc5db97c9e01f723a450a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
26d6d3d8f026000107934572f3ff6aee

SHA1
a439401d6a610411f099c854b9880187d271c8f5

SHA256
4bcfdccfd8fd732194124ae91a15e22b1f8801908b6c9e966594f5047d11c19d

SHA512
ffef6df11956736b892ea43d7e47bc910bac6b51a9ea310582850cfbb7c4c16e6d20d4ee9b761fe2a33ea6b4ec0cf1c244f11442433484e424a2e26f50b5bb67

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
60d4927916bf72e219764d8e212fa6d7

SHA1
4f6c3ff407c864e5b7910fb1b56ce511a9c88512

SHA256
af158f8396d71d2e470dfc59102cc2727dcd1d92a3c1dfa7df6599c6296ab0e8

SHA512
2a6e374d7acb8f0529979f00499e285cf2d52e480cf91017f23ec1999feb8f6fa34590aaac5e1d4de895bbd12b3a2a50a8dfb155c8e30ca99393cdfd0192d44a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
18685fb6a422a46f634d2f3a97762169

SHA1
7714aec850b6a24cfd42619af264536fe7baafdd

SHA256
b3615dc59f7373078103a8bb01946213b77a83c70a5f2679d2306ca176860f7b

SHA512
5e35ebdc450b0e27888746a92ea503b30167053b82b102e190d7a83dba067248ca671701af5dbe6fe8bf786f855e0dad688a6922f48a9bd3c1a20f4968a13b0e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
dc2d7d107f2bde295f40eddd68aec35f

SHA1
86aed69edf20357974222bbcb05981af4e67d9da

SHA256
ed2da72714dc75b4c754c087350de07513c9027a783623254c8d5079683df717

SHA512
229c6ecf9eb565e5eeae1c2d6c39dc397ef7ba3ccdfe63c4fd19979511a45294e94352d290a5ef8947c5fa28d81ac6b463dbaf8b0efa816a93b29fb0a4f4865b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3e1912849a0e552ce4f7b9e3f8b42ce5

SHA1
81588fe2e45bb8e8fad6421356257d1916a7f916

SHA256
d9e716cedd8a0fdec22e3c6a3844048f410ecb522ee52c123148a6a67760562a

SHA512
8144cadf84b2b69dbdafef02c6de8bcbe2bc5c29cc7453e1f4fb8217d2e174233885bdb57711e7bec3962116746096f2a61e74a235a0a504d765081f3ab2c49c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
bc1705f659b3569ef7334886faf24d93

SHA1
06c24f2bf2f5a120ee07ba23e2b1ab46ecedf40a

SHA256
ee4bc2ab8561cd4a544a0a90785a937022065b43b819b737e13eb127624081b2

SHA512
9e62f33c9bdb9fd36c424c850c77095b877720f02b2e8e3791fd2d0c6c11c6c0967706804d602c0602257a4fe75b409fd7575bf8e7cc8e52c73a37f08e38d3bf

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
a8087688be6ca7a08a4ca74bd162f586

SHA1
c4654144eb8c283e53b6bd71f94ec5b84ab11e4b

SHA256
b34705ae15138a4a965ca77854fc9acfecb5902c5f170d123d7ca11df023037e

SHA512
7941e5facc6b3e6cf7992455819cb796e112b284eca0f53af1e8fb927b1e81b3babbb58f3c0ce6bb3d7ef8ce054e3450b761e515c783a85c894710e680bff8fe

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
11c44ad1e8fde0b2a575308164ee8368

SHA1
46b6df122f5e8b0a61dbb75d6d3d4e99b32b74c3

SHA256
3b84e37540488990499f9e6a4344e6993d32b422ff8e72376298b7bfde1aa1b5

SHA512
bb4bed36eb061d93079abe064aa690729e83871d6be9e570e3252c9386fef03b934e071eff9ee9a997e4de4ec03e064287268c5e817c8c54fce30bdc97b68907

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5a38afa9e0476c91eaf600f09237ff34

SHA1
c227387379c35bcf5d7b0722d5bc8267135d3daa

SHA256
83117731bf57680aed5e12188196d3a1a661b8a98d2304bba286704cdee2431d

SHA512
9d0ece9618c329d624768b34ee197a3897013a8933b0bb4a48c6801af56a823caefcd7098a4dac9a3bdadb662bda90d981a169424661f4ee9fb7f881cf562fd0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
822c13faa306e4dc363ca214669a8901

SHA1
83cd2440f5a64f2a7c0dbe8b8a491776c90d1ea4

SHA256
61946fa3591dee0c0881b0417a9447809bf926dfe6ee851bd6f246a1f11a58c0

SHA512
f47b306d19ed1e6526c60aa8abb95abddc0ce253be334f88e603316ad9d63ee7d7ab2cf3b609a60a2f32dbf780c76e683defea858d58ede88a948bc14c8a6a88

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e7e05e6248451932dbd6b15a9d97b592

SHA1
6486f4c9af3803fad30e5087064fad484aea03e6

SHA256
03becf22bcf8a535c0852b0a4c507119703c6c015d25b6803f07a72b15e9f046

SHA512
437ec81e3428589c7084cb318e62858c39e86db7f0d6d1f09f5a59be4ff4465f1db1cda64683204b46c114fedb025d9db983f138838543cf435b0ab132109af1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3eb53d4d58f3dd51957d68aef0157fef

SHA1
049960551d63efb784312097f5a199dfb23591f4

SHA256
adbea0c6678d04af9ce66d519692548eac3bca13c6752e5fd0d9db49ecccf0e1

SHA512
07cb687355f3005b08df90845881de89522a42bbc6e6f7c51d1c7c70097620cd49d752f8baa44167c8d2694af17d9ba99199708fd11ca9ea005db30f0ba723fe

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
ed46391b9cf88d116f426a0b1f295b8e

SHA1
e03031adc26ed3a2e0ff48e24a6f99c0e35bdcd1

SHA256
f2b7c0a2642738228f960ec8e75d0bb5317fc51b8983c322764fe15baf682805

SHA512
a6d33573e8c8fa62fb0557545df5c4d6e810d2f6bfcbb1b0d2f31bba2103474140571a1cabda816184646c6c3e76b0c89a0b2a79d429cfd99b32a88c9a11b108

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
84c2d59942c4b987f055e6e7ca983f66

SHA1
eda24867f923a879e8c36e263e0529f0e7d41cb9

SHA256
140f11380ac3bab290bf8bb316825de239f830181be2a1aeab4d1bc963bec322

SHA512
3aa6849792f84bd43f6a9734e20a5282dc982724fd4180bcb9942c4df24bf21d1336eef71b55ce99b06809b4ab57df5b9af762339f907e7f1957d6dc71350df8

Download Submit
\??\pipe\crashpad_4192_HXLFYICISYYYTRNE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1388-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1488-317-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1636-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1652-314-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2004-316-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2372-311-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2380-315-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2460-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2460-18-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2460-12-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2460-574-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2704-559-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2704-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-651-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2952-326-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3124-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3124-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3144-319-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3256-86-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3256-61-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3256-55-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3256-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3256-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3264-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3264-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3264-313-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3696-321-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3968-322-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4052-89-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4052-102-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4332-51-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4332-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4332-64-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4388-38-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4388-28-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4388-646-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4388-39-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4700-312-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4700-67-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4700-439-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4700-73-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4788-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4788-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4788-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4788-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4788-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4848-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5000-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5000-606-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5096-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5100-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5680-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5680-733-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-572-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-738-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download