1659cafe7f0dcce553c4e351123db15613490e961174dd8c40e4353c4311e95a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
Size

5.5MB
MD5

30fd009b3afea3fa4f930fdf3fe240a1
SHA1

1e3b51dfa52cc1be31f8a42831d78e706ec60d9d
SHA256

1659cafe7f0dcce553c4e351123db15613490e961174dd8c40e4353c4311e95a
SHA512

5778caf89c3bb9ba3a40d96c70b4f394d6e6ff676fa8449db1553707b0444a673b7d93abe1a92d871114c90db08f78511b4fe09fdcffedbecbfa6ad9d5624670
SSDEEP

49152:3EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfF:jAI5pAdVJn9tbnR1VgBVmH/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4028	alg.exe
3656	DiagnosticsHub.StandardCollector.Service.exe
4356	fxssvc.exe
3232	elevation_service.exe
4988	elevation_service.exe
2356	maintenanceservice.exe
2148	msdtc.exe
3440	OSE.EXE
2540	PerceptionSimulationService.exe
4984	perfhost.exe
1016	locator.exe
908	SensorDataService.exe
2516	snmptrap.exe
3928	spectrum.exe
4956	ssh-agent.exe
4300	TieringEngineService.exe
3468	AgentService.exe
752	vds.exe
4444	vssvc.exe
1784	wbengine.exe
2884	WmiApSrv.exe
4628	SearchIndexer.exe
5784	chrmstp.exe
5880	chrmstp.exe
5988	chrmstp.exe
5376	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exealg.exe2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\520fbb84bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003af39032f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004793d532f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093e62632f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097797d32f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000922a4f33f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9343532f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ca6e832f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d551833f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce6c6e32f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exechrome.exe

pid	process
1576	chrome.exe
1576	chrome.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
1576	chrome.exe
1576	chrome.exe
5440	chrome.exe
5440	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1576 chrome.exe
1576 chrome.exe
1576 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5004	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
Token: SeTakeOwnershipPrivilege	1076	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
Token: SeAuditPrivilege	4356	fxssvc.exe
Token: SeRestorePrivilege	4300	TieringEngineService.exe
Token: SeManageVolumePrivilege	4300	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3468	AgentService.exe
Token: SeBackupPrivilege	4444	vssvc.exe
Token: SeRestorePrivilege	4444	vssvc.exe
Token: SeAuditPrivilege	4444	vssvc.exe
Token: SeBackupPrivilege	1784	wbengine.exe
Token: SeRestorePrivilege	1784	wbengine.exe
Token: SeSecurityPrivilege	1784	wbengine.exe
Token: 33	4628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4628	SearchIndexer.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1576 chrome.exe
1576 chrome.exe
1576 chrome.exe
5988 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exechrome.exe

description	pid	process	target process
PID 5004 wrote to memory of 1076	5004	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
PID 5004 wrote to memory of 1076	5004	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
PID 5004 wrote to memory of 1576	5004	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe	chrome.exe
PID 5004 wrote to memory of 1576	5004	2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe	chrome.exe
PID 1576 wrote to memory of 1304	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 1304	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4356	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4580	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4580	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 4180	1576	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_30fd009b3afea3fa4f930fdf3fe240a1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3fa1ab58,0x7ffd3fa1ab68,0x7ffd3fa1ab78
3⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:2
3⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:1
3⤵
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1636 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:1
3⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4120 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:1
3⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4192 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:5608

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x278,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:8
3⤵
PID:6872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2468 --field-trial-handle=1924,i,7779561770105713990,11275848485319464186,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4840

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2148

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4772

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
174166357b9d4039a662c27c64c476c0

SHA1
873b86c951abe414a9cc2e6bc182f2d882e91377

SHA256
f0d48d5fe140f078ede78b8b76764b67d9eae09293673758815dfdf95d08eff4

SHA512
43d22b129e46ca07730878d371bdec0f29a17a3d8ec7e3cd876453e5a1c10f57332ca0e02b19991232e87f635de74fe6a082b8f8c644257375f13390e9cfa86f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
682d4368492fe0423c06dc98e321ea8f

SHA1
900ef97ad07befd75a2cc48d81c4bd5aac070df3

SHA256
cc7908d8130428608d08e28c226cc291d4b9c5c3aa707dd86d56e5f12670eb14

SHA512
5147db6f662d49688da5e80ccde627d5a80244cf050ccdf364c2705e4285a35d1a7e79dcffb2db8db537a218f9ed648ef07f40af31abfa0303b64733eae587b7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
919f5797815231221011f1453f5ca54d

SHA1
0b18dec3e82e1830972b74c86459451085ec3584

SHA256
c8beba9e9cbf9e2d8cab4a8b3c9ea145c06de24914c7c7c7b02e3e819a8e27d6

SHA512
93c21b7fdb3cdcf98ad0b8f6f093b390fccf96cd0840eb5139d76eb6c8bf07c1d7a7cd794ef7d92e3036e491ffe9026d10a7e1ae46540aaa6274bd8c84a7b0bb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
28e19aef112aef14d7eba20cf7ac1814

SHA1
455b42654065c3451e1ac4a85e22993f8c434a15

SHA256
ac5cbf78b156e15882eb977bf20253f9bb498cc24c908806dd448a89da53e2fe

SHA512
716cde7ae630577cd00ae74e2cc9577d5c40267577797e62f39e46fee7589022b07252afb339beac03812275969a1918499d945ba44920669111aada97314b51

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d2c65de76884a514271e1912ffa856eb

SHA1
6008ef6d220f243a7f4e587281d71ae996ee8d0e

SHA256
976ea51aa90d77b112f1c0663cc0bc91468c943788720ea637191fdc623168bc

SHA512
6766fc7aa29e4c3a6f128c1ada254a2bd70fa5b817ad336f6fa1e788522e9e45ac98ad60f8b48781dbf59549f80d11136c3bdec8734ff55dc4000f9a70049f6b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
996d1691039362296f306cb88f671d99

SHA1
fa585372b223ee49468aba884b5cbe432741b77b

SHA256
008920c1571d050e07a4af27f309fc0e242ddb1666af6733f17e2a7fe467098b

SHA512
224fec9a83082f17f283eb4d5b60868e948fa6906bf7f6fd2c4ea0c72bd68132134a7be129c91f932b19c3620d6c748a361c98502c9af704a387a2454a1d4604

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
fd4c8fba1385ca1f895a899f78b99ba1

SHA1
deafdab9d7045c100727f397af8868279d0a897c

SHA256
40546b7f1dba607479e714c5d8022719838a87582ad768bf3637edb8c277c254

SHA512
923eb91824d2f36ec6fb5ee2ecc46bb8553b4ec58f329f7b5f7829a72ddacb35d2f833dd6ac794821a308db3789841458eda5938c8a281fe4eea0c8e9bf6e9e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0941379e28bb9d70048b84fe698d9510

SHA1
ed9a695884a500a51da79d32a5b7c233e4e2118b

SHA256
918bb179500692152089976fbb9ed9c3a2b5b7fecf7376f3dc5e239ed0e90245

SHA512
71732c9ca1a5a9720e74c6d255a7cbb545e832ef523868e60d603e9fed5f3813b2f5b8f328c44c281ca84a398a8d8ae873a1a99978be6aee45cc9be948c70e24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9ac8bc7e8d982ac9b822c2cf9dc8093d

SHA1
c2337f1af93d5b09a04341243dd4b1e829abf746

SHA256
b8b16f43271102988b17370e3839d518e0fdc489a58302290907984cb2f0564e

SHA512
eca76d4ff8706568ed579cc17d77606b78eeeb2d34d68bad2fd31940d8326076238fad5bc09a3df320a6ccc9e0a208c64bfe418f708c2f88cc935099a098eb23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3d39103154e64d68a4ebdfeea935a63a

SHA1
ccc7c4850cfe8ee73ec76eee6925790f13598da0

SHA256
020767174f83c1f9bdf2f0d44cb652dbc608a483d263f06e6bb3aafe6e99863c

SHA512
1aa098865cbc12d0f22b6c52d055e8a8aec591dbdeadfc72ebb6d3ca3b37354d34c98f4c9badfa5a0e273085b8e9d2cf549f42dbff7b6dc97436ebc481cd2204

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b4a7de40fcf8b7ecc58cc84426795b48

SHA1
8445f902bc8ff49b1d1e6e06dc88c9f3d87003d1

SHA256
c926c714109f57dfdef211f9229de8da4c3acc3391ce35c9a9811f508854f956

SHA512
277cb5ff0a4de70bffaf2a5f64ebbfb3b353e4c289550eff11d545b4499c03b103c2b911d84b602b2133846f1b81a0ed628595b487bbbd0ef453c7331218e60d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
787d75e028c562c7907c81844aef2acd

SHA1
6313d85464c6ac7fd772041490c012f3151a34d2

SHA256
58cd5ba7a29774bd71fee626a1caba50e37aa83c1c2d2f829e6ad2fed0ea53fd

SHA512
09297f053eb341fbf2314432d960b4c232cf538f90fb5d664da0621f471f57a3ffcc7e68af59d8f0bc048a5524b9ea1b2dbed6c76245c6d100a1abba91573711

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3afa19819f1fb84b97a4404ac6915ea1

SHA1
84d3e30b0810f3553be5f4298ce83e7bb3ef503e

SHA256
e2683c395be5a7f9a5f6b97f4bfc12404e4c1ea2ac2f5bdfbff8635831c1f1fb

SHA512
9f5304ca3aeef535e5e45a0d8168d441ba0b9d1b072fc3f386b7d90ce35601bb6f62832f20e19b2fdc638fcc2fae0dddd273def4a163c933ec9d255a8a4a1e47

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3963085f-ba0d-4b22-9955-b0da11ed38f2.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b1630d5d2034258bc56844fa41725d9f

SHA1
dc2bb41a7fe276c55e6613454aad8d1a85f33476

SHA256
f82552d8943905533de59c14047cd65521e9a9c72c091129568122e6d6085b84

SHA512
0f2cc636d5541946f803b0042e5f9251181385056c9e5262a1d6345fe02f8606070c28194a3705ad9b049e2fcfb1da6b00e1912afc1ed402648e75dc82ade321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9afae3e027540f837d77c381c0192c7b

SHA1
29c7e32590009358104d925662d3305c85511cae

SHA256
87041c04a1175823ab7e07e422f759933a6a86afa0242e3a520a99a4ad569203

SHA512
2a07feca1742c50443b698cd75202bcb9fbcec0de9facdc3e4fb9023dc9404cbe89ed2d6da63e3e7cff016b0c3cdd648adde3d1d851af2064082152060e3239a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
0461ddaa68359b5f5c7e2ac9001761f2

SHA1
12f5a3203d6e440b606a6da0945fdf31a4cb9f9c

SHA256
33946e6aa7522ef25a708b6146bcd6e6763169f43e2b2665278580ad5f6d383f

SHA512
d0a6b61fd4682972164b50dec574c084d77e6277b96b5b3ad875220cf8ec1dfe7e0ef28362f2bd94b594fbd73402dd912a9fba880374d7004eb0f9f7a37cccbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
88d86c0f9ac8311f00e9b6f59442e231

SHA1
ca75daa3ef327f95668cdb6f59abc854f3c58b6e

SHA256
5812a826dc75c9cdbdcc31610c1a8d11fc0d4eed6b94bab8b8df85c1992f62be

SHA512
db83ef7af08ef843a6583ceea9bc9b95d902f367814b0c2897fec0baed4765673d42885cee6348d74023d462a43d967feaaaa2f176f597de6bb1286280638fff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57692a.TMP
Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ec0a163395036fb475b391300f0d5f7f

SHA1
4c67eaf6a41ebfbfb4bff89265734d85bdda6239

SHA256
9e6f7945f7b4e775771fb1c8736720e1058f86a8d7315d1cfb8ce6d1d6c49e58

SHA512
736b71b29cc2e7bb53e238d4cef772d637eb56b14190530e0e69d3d8a5469c03497342cd83a3e5bf4c9b3b4dac2033833bc45959f37ce99c37cb05674f2b35a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
e91b732d88ffca441075138bd290197a

SHA1
10076e8ec4009218e17378be50d75021a67b8b9b

SHA256
0998b9601fb615046a8f1544eaf85a64425ee9d0f5214c973e5612914adb810d

SHA512
a82f695ba0ad977e25d7722b7487c166a0e81cc2810ddd56d263f8d3d655a6b70b0828f3e935e43ee037889ea8596e8c59a23112f079c601d883f57df69a74eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
f90c373bb8cbd01134d1409824790359

SHA1
b9a3adbfa559929dfb86d05321778ec8899e5766

SHA256
f4af3d519c3c7c4c93dcacc673efd9bdab9334eff96857257cfa621b6ec9f186

SHA512
6c47fed98500416f210438e32d0cfe0cfc63084182d60e1619bf8dfbb7984429d3d6381a3fefc87036db8ef119a80187dc701acc4846b8ba5ebaffb8d304eecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
283KB

MD5
d39ec33e5f22933f2414c221c547b2f9

SHA1
9f96939a6a3c54b3b2e515faf0cbf13dc9f6d376

SHA256
8290f03229a4fedfae97d25571095f8831ebe2ed4fe5cd67eccd015a93580e5e

SHA512
75786bc0cc39479e567a9562d98d9044044d36492d17ebb8ba5a69cc3deed1ba0ac3054a8d0f823e61340f250338c5260315fc4062ad97dbe630ac85411ce397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
120541d34248b8388bf65b5545677bd8

SHA1
f75e3ad662adb5a74994f7e7499503e8684b56a4

SHA256
64c0e5d5537b7555844197117d4bf708ac0fb566c6c00bc89b9090c7557cd79d

SHA512
32f350aabfe24dca1d04b20fa51420f69f2d8b5201d36bdca8381426ebcf92ca70275d84a5430c971b54897ce6f6eac721982ab35254742c58fd7cb06479b606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
61f3fd414e491a5691cc2506a9e382c1

SHA1
2503ca917bec85235177b644b22a2f85878ebc41

SHA256
151483e464c2d7f7df81861e917c3efdca7d4bf1db1dff92068dc37ac0f52d6f

SHA512
f783ed5c6f49ed709bad9dc9bfd2c3466e369abd722407c3dd53c9ec8bc681cbb77986d7837abf9d635ae6b21d2f23a3b51d06d65e5a823a2d5eb7eb706ca620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57de89.TMP
Filesize
88KB

MD5
af552c2614ca3e672c5cfc2ed58fe750

SHA1
7f6bf6252f4907033b2670b2ab0d48612f666f9d

SHA256
15431e20def644a0a42be83cc0674682481ee33467dba95f73f7474d8230dd0f

SHA512
a8672d0fd0fe19f564d51bece4f089c5d4805a02f915ac2251a77c937a51d5092f211d21f7b5cef1d0624d430d1df0ed946ad8fafeeeb070e6bd04c49313e42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
fdbb87072dd2895c49ae3e39fd2b1d2d

SHA1
d82982a6f38a29e6b897eca774f3e322f9e30b8b

SHA256
c84e55a388f1e930ade5c641da2c2aefca7ddc4a026df8abbb4a222b098f0e80

SHA512
5404f1a3ffa3a4ad5d3d784d9804764ca4b732ef390457efebb7d7cf08c92038541896206b1d5526d77e332279bf511a76b3fb23435058a5285973bb6f1bd7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
3a93b0f6409c060ad6f65fca95be53d8

SHA1
8e0f9ef2b33450490354a84c1f83fe25ace1728d

SHA256
756fdffa4701cdc091b876543e549fd22dc3528ac1df4751bdaf4dd4d5f7e292

SHA512
a24cda579c11782c70fee4820eb65454a1ab29edaae4bb92a8c9e71e41e13200151139ab22c24756f3db946ce1f2bfbe84970bb33aaca40aaf59b568845ef243

Download Submit
C:\Users\Admin\AppData\Roaming\520fbb84bb5459c0.bin
Filesize
12KB

MD5
adddba2575318388692381ba14c7da22

SHA1
4d24b031d28d40e6820cdccf84b37b27c15be927

SHA256
98cbbf948b8c366343bb31e28285c1a902acea00b14d544cbb84be4e83d3a525

SHA512
de96c2e9f694eafcaad88185d5c5cfae600c5ac90efd7720ef38df6a677ecdb5b8a746690a87a081b9a8045870930c9b3eb036d0525f43e9373550cbfb268ec2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d44ed4d6030ff5e4aebbdb71f0fa0f07

SHA1
f733cb004a3a7b6d12468bb0b95021251f86a0dd

SHA256
106a00acc9428b05b2474f0c5e3c72312648218011d6f1a6809b85a97d809e82

SHA512
612d655368343eeda4fadf42ecc982fc8ccaa4a1dc5436f072910470ef84ff4c0cfd9c51e5dbe4c83f10a64073cf4b2428ae5139704f8fc6cb0ed69dd42ac5df

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a733b63dfb230482ba3ff94c49bfffa1

SHA1
52f93f33be137ed706e20e112983f3b6a4efdafd

SHA256
2abf0909f6aa419d5119002568e9bb2ff9a3a30991ecef6f0f45878a0b8e4890

SHA512
a8798e2d2efb1c1a1d29960697e08e4dd4e531f39f84d7e6c265884fec1b76e21b1ba9bd86916a43be7226d6bcf154ecd5725065985a5b263ec86bafb26a9324

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
1388aa97a6d6af8dd27dcd24b9c9d002

SHA1
31e9e4e0aa30767d0675c8f3717cd3b9035fdf25

SHA256
01ed600f5e50b6e1f82011dccf6978ed2102d8236f8da3ff8803434ca3fd9e4c

SHA512
36953ecdf2085ab65306023d51b324ffd0ab88c4c9e2d0e66eab9127d6fe24dae35ba947a3f67d5cf9a2781e6ba508ca45150b32bd7eb7a0deb015bedc7794bd

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7455765c5342dcb10513bb87d4ce7390

SHA1
47bb8bed857fde01b90523b148303086e1312c05

SHA256
33c6752e4ea2031f0accc4b2900f5dc62eb5fedf5e6913440e8a8aaa8285b002

SHA512
f9e75f10a85284d667422cbca5702fa0bc8ae91f9c7be1d42b76c6cf7a5d01e41a7b56ac0692e0a23159c973b1d1e94182f1f82530af59d7f82aff6f9cfb829a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b709af68a0fe6640a3b85bd3e87a2ea3

SHA1
602fa85376f19cb15643a4cf0ed77abb5282e9cb

SHA256
a1d8c7f42fed43f828818191de0a56a06c23fdb4483a78d946136fe6bd00c1cf

SHA512
a0b4da354d3a1705cb3f86ff741395d4a04e4551c8ad2351cc846d3bd9473d78c9ad8f0113229810aadf8b97d3fb3491091a3f17144c9cf13dacf91d47e75384

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e662e3fcf9fe282cc791f0a032a3b0fd

SHA1
989eed162afcfd30fe861c7ec0e8eda04b387848

SHA256
51dcc2f1edc3d27947a5fab1d8702e8b35ead78c5d2a2de82cb84a2de962d961

SHA512
62efa21d2b925fe9a818056abf8422f4587f9b3f54e934c628d6ce0a67111ac0c97a0d7fbd8bfc00b2423adf3d23a88c0a4dddd9c6db146fea2bb342f9938fc3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ca2cbb02a302ae7fefe67c2b52d1cd2e

SHA1
9b72ba4413d9899d1ca2a3c70c1d22b6d1480bfd

SHA256
bf2e41d5ce07eaeb02ce543beabb839b2d95f46ed2e2265e7c11743d99ee9732

SHA512
2ececfcd7abe5ae5d9f9cddb9151d006d63e2e6c8a528635825e19809c905f0ef381abbcdec82fc15fd4d0b66ea539f0b10cb9e8f548142c30a48db3f6ee444d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
70d0d81017b3e16a15e3215b2b34d842

SHA1
3cf8b4fdb71646d85052a8f1e043a2d5e43baa2d

SHA256
73b8972a33b79b43f7316d512a58fe4af9f23adde27697b54b7df27a59ba554e

SHA512
61f2779ba7011c49904e1257504b4179d6576b30ab0137bed3183f2bffb9a8ff6bb0ff33ba1a48c4dbe5a04fdfb1a490a998c6a59b08306af8a98455227a5fb4

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ed95b0e41f7eae91095058784360b834

SHA1
981e7f22f8dadc0784b623df2050f6b80c26c55c

SHA256
b49bec4ff4dd54d3a2b391e8c5ebf070d1fc9ee972f0975f0598cb21e35dd050

SHA512
ff83e006e6316b0c8483ba3fc6e055b302448e9ad34fc17844dda2559dc7f2ca47340175bbbd03cc308cf2a0ec80ef10b551f4fc848e622e32fe92d27c3ba1ed

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
aaa3e630ce9ccd6d47ae212196255ed7

SHA1
14692827334f59a705780458018fed9cad05cbd8

SHA256
fdcdbc6d2d286344cae7508ff483f0ccc580101f0e04162886b0dd15ceb7edb8

SHA512
3f2e6860367ba70f1f0d16bbc3edd89b15087549c6025064cf7af466e16e3df3917f2d402aa17e95a34c76412d2294382d019bc25a17cdec36a70ef62169556a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
785a7946498062929be1e4438b0d2ced

SHA1
e74b7cbd0d1e84a2e8aa9ab1acf4b66b9b4349cc

SHA256
d4288e38ba537580f319a531ddc4a69b9735ed8d64b751f4060751f8683768a9

SHA512
a80c0a56de2980a7ca793604d15a5cbebbcd60cad41bf8ff4138d9085d650512dcc0edc0e418a22402e71bcdf6327ec95e941be1d53c3b9818254be5b6c34918

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
03584501d25c0c004917b20ea80b525f

SHA1
63909c63cf1e68c47f4b9dd7b83de3d129040645

SHA256
c48099766789999c5f2e2735df77e8c47e25c457815917250c43e13914b9b94b

SHA512
9619d6cb52c87ab0d2f5b97b384868a527870f1b507f00ae44bc90a36ac05aa19b36a4bb601c56d7192bc0a80347b5ab10cde92c40e1ba3e1aa58ce1a9be47c0

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
0d816ab3e8c8ceba4bb889e5577ba5b5

SHA1
d40cccd2e93fede359e63bcaac0e39983c146256

SHA256
45f6abcb4bdda62b3d6e9c9b525d8c8c45b854c818b35aab1aa07b3fa2f74040

SHA512
5554f6982b91f960c63995a0272677d77ad485bf8567758fea832b944b3e893270ed16c48d11d1d55294ae5999cfe5535e6fe71df597dd454674e9f03729a2aa

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
06ea2edb8cb6332bfffebca3d51f8e62

SHA1
af784f3b20a29779e85a53d3da5af95c0403496a

SHA256
6500787e104efc66f733cbf9a22fce724cc8497edb32a6759be458c13b6b3afb

SHA512
c02913d2a75e3def10c11db745787b1cfb8b2b7392a16b24fcde151c2a69b756a27ec4bc7ec5fd12d4da4da90533e5d7ef1a495057f9b6254f39fbffac020f6a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
3f0d68276cfce223f71a23a0e9c037a6

SHA1
2108c00c4422b099ff49fc575f238041ec6abe7c

SHA256
665b17c9e39970a432d5d0122bd2163f741d82b4dca48fe787c40f3984cc79ae

SHA512
e6bfc97f4919509b762452eb37b5e9db4c00b2d2192aca0463dc4fe7b48043c16d8812de7ec55a409885b2a70c9b89ea78c859e9e735a89ee455641a6adf510e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
abe3d33f642a382d9cb2384b31b03802

SHA1
e9fc1174afbb7b6697d86e3296f5f47d5d3860b1

SHA256
e9b9706d29ed194a60e386017780a1c346fc7df2d90c56961f0f9cea907dc601

SHA512
13379b6407e22076c0500c6a524d74a919af80112f14d526ef4b749ce6b51a132753ee554d20a7f75694cc3b21e9712d6aec40dcceec02f1df6521a6663c21c4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
2a244222dac2ab7e2f882020db3f01e0

SHA1
b1167197ea7896524bfa86b552cd622da5b9b9a4

SHA256
0b0af88b08ff5cf2a567eecd5b672fc4b5b9326bcd3aa76638753474a6c1af12

SHA512
90ce47b77b0fe9e79dbd2f2e64472fc2da35361b215b79d22a4164d3ffe964e059256910eada44358c8955988936825443ada95975f535be6cfc3f23356eca20

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5b5a36cef240bcc592f51f08390987f9

SHA1
95e30fd6c14a8a88e55ae5d225f9ceeb44908588

SHA256
d23fa95677ea0a16c6ee890fbca686c5428ce2347a027ff269639810fbfffa44

SHA512
826f2f4ea59bc6d9073c858f62855e159adccc6f40c4160089b6dd5f56eb5ee60afe2bff02eba719800d54705969ce6dfdd4582d33b74b2372f91e0a832c1a2e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
95b63a012bffa571eef36c165feebccd

SHA1
dfe44e43c3c74ab5031329730b9b27137451324e

SHA256
166702f813300bef3b580afb405c4f9dea6542f6a230942ea7acfd829b0cddf2

SHA512
b59c7df738518dfa903784675a0474cc7b6e32dba685d9f25e1c4f48ab1109d2955d2538bb57f5e67d7d18fcb907e278f5114a968a5b4ab9c49a169c2058cfbc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7cdc8e866defe014a17b397b2947a772

SHA1
ff14d2aac372ef27efcd52fa8c2c82235f0edba1

SHA256
7dd2ab395a55d92ba1bd7b13459edb52fdbc3d52b6d6f903e230291b7bfe4a25

SHA512
f7e61cb89e63fe7775d538f8fad00d33e547bd1e8bc5651957a6b127da432a3185b571e571d99bf5e11940ce6b4fd040eb1b486ed88660f420607bc5a80a672e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e979cf5b0a152956a0453e0f2ae2f749

SHA1
ac555a1af30c787ef1d22a9d6ac3da9669daad72

SHA256
e1eef17ee27d76265cc064a18f6e2dab1ff85f858934c4abc7490670c72728da

SHA512
c622c22b42a27c6b0cceff909bc1106566d81a27d3d9a565f34b225a79e37bcaf26f483a40f4967a9bebc71461ce919446ed970c6226f1a179b7114b22a48457

Download Submit
\??\pipe\crashpad_1576_ZBYTSSHCTLZHXKIV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/752-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/908-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/908-606-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-276-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1076-537-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1076-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1076-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1076-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1784-286-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2148-116-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2356-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2356-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2356-87-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2516-278-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2540-274-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2884-715-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2884-287-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3232-95-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3232-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3232-375-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3232-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3440-273-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3656-53-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3656-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3656-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3928-279-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4028-565-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4028-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4028-39-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4028-30-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4300-283-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4356-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4356-62-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4356-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4356-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4444-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4444-714-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4628-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4628-716-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4956-280-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4984-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4988-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4988-697-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4988-96-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5004-21-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5004-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5004-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5004-0-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5004-6-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5376-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5376-722-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-717-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5988-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5988-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download