6cc2f67b8afacba9e397cca9d6a6e99589e8a9a589ee37fa9a1f3413a9437b93

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
Size

5.5MB
MD5

d8d020d54197b7270aaed6a78ca0b60c
SHA1

ea5d6c5dcbe5c0df37f05137e3fd5fdf39af8532
SHA256

6cc2f67b8afacba9e397cca9d6a6e99589e8a9a589ee37fa9a1f3413a9437b93
SHA512

f163e0cd62f21fe180842c297ca22e0b57e7fc6653497f64a786fc0038cec4d46e7f01069a9d967b29e12c7d9ba6c3ab87de5deb5e6420604f120587fa55f7c4
SSDEEP

49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:UAI5pAdVJn9tbnR1VgBVmGOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
904	alg.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
2160	fxssvc.exe
3484	elevation_service.exe
2404	elevation_service.exe
4976	maintenanceservice.exe
2444	msdtc.exe
3744	OSE.EXE
3660	PerceptionSimulationService.exe
4184	perfhost.exe
4548	locator.exe
3984	SensorDataService.exe
1000	snmptrap.exe
3684	spectrum.exe
1336	ssh-agent.exe
2424	TieringEngineService.exe
3048	AgentService.exe
2060	vds.exe
388	vssvc.exe
5012	wbengine.exe
4492	WmiApSrv.exe
1184	SearchIndexer.exe
5628	chrmstp.exe
5712	chrmstp.exe
5832	chrmstp.exe
5896	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df2de5bac8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610432764962790"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f04ae13fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006618c113fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bace3613fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adc7d113fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000992ad413fbadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098bf8b14fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e34fb12fbadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007da1ab13fbadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exe2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
4288	chrome.exe
4288	chrome.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
2340	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
4288	chrome.exe
4288	chrome.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4640	chrome.exe
4640	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4288 chrome.exe
4288 chrome.exe
4288 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2552	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
Token: SeAuditPrivilege	2160	fxssvc.exe
Token: SeRestorePrivilege	2424	TieringEngineService.exe
Token: SeManageVolumePrivilege	2424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3048	AgentService.exe
Token: SeBackupPrivilege	388	vssvc.exe
Token: SeRestorePrivilege	388	vssvc.exe
Token: SeAuditPrivilege	388	vssvc.exe
Token: SeBackupPrivilege	5012	wbengine.exe
Token: SeRestorePrivilege	5012	wbengine.exe
Token: SeSecurityPrivilege	5012	wbengine.exe
Token: 33	1184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4288 chrome.exe
4288 chrome.exe
4288 chrome.exe
5832 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exechrome.exe

description	pid	process	target process
PID 2552 wrote to memory of 2340	2552	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
PID 2552 wrote to memory of 2340	2552	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
PID 2552 wrote to memory of 4288	2552	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe	chrome.exe
PID 2552 wrote to memory of 4288	2552	2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe	chrome.exe
PID 4288 wrote to memory of 976	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 976	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 3780	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 1808	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 1808	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe
PID 4288 wrote to memory of 4532	4288	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_d8d020d54197b7270aaed6a78ca0b60c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x26c,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99039ab58,0x7ff99039ab68,0x7ff99039ab78
3⤵
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:2
3⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:1
3⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:1
3⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:1
3⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3012 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:5496

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5712

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5832

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:8
3⤵
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4416 --field-trial-handle=1920,i,12218739951471877098,1918353725825274349,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3244

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
553b9f4650197945e6d9580239da52f0

SHA1
1d5dfa8881204820df78ecb1a46365f629a67313

SHA256
f7669609a6851723b6766a22d87833c9048a1d1870d994e7eb7a530006120120

SHA512
72cb29a6235cf2f4ff349c7b79b273c94d1b1222a430a332f8c223651330037a360a1330994253113610a97457a86adfd829f0f8bc82f3df10e33f16d2a28084

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
e9b53f12b4b42c6664dec391f27bc92a

SHA1
1577eff5b9db251ff1195bb33c0e37dc1d499f94

SHA256
ed063acfc720a9a57e5210e5ca02f3a5c19d0df62aba54a2a7aadb2058011358

SHA512
f4a69b4d7535967780ae22f6e40a73eb6b5ef142a27c1ba65c13685d488ca49361f18780a3853e7d33d41f5419e75ebd64a651e4d3448575a27499ac3016ad07

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e2a7b556d2c97688bdd7350fe298ffbd

SHA1
3784eff4b397f2f69a0a3cb2f2e8360adedfc3a6

SHA256
abddf7051b48fd60118369c10f5632885525faccea3d51302a5ef8af72c2a33c

SHA512
5a2a5e7a174bea6f78abe7b571922de2af2864391f926df742f902b1a185fc22040c59a04a8fcf2c7b1710d66082b864ee050630d1563511cdfaa45aeccdd9b5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0852dc69b73a659c07ea77c8c5a00935

SHA1
385666b067f4d915a9449c915a7056672c1a39a7

SHA256
d911794e033c5bf0c2419cc196713a8468a4d0ade97ed43b09199846d09ccc7c

SHA512
2fe76669458ec670dc7cc966df57125b26cb2649862157f759dcf213c193b99ca29c7f721a001b3bb4f3c8a07a498079bb77057ffcbcf606ebac79ae2261e98d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
8dda6a8e6f2e46a5368c69d38c4fb4c9

SHA1
de3a7ea1a60e2158d67918c14875d2938ad846ee

SHA256
38cd60808408e12abd66f6147e41c8041dc8dfd8e21c4690a3e965128f36c918

SHA512
2556c2abcd4d3d299a4c9fafffff16e4f567efb53276e08146bbf2bcca6d4679da1b53641b56c48745501b02273eee67ed1bc98711310e6d19f6b84f252479ee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
92bd247e68a46d96d3e3ea1991fb1489

SHA1
2173a44fd1dca5ed8fd138f2266c2ad2146abb29

SHA256
c43fab3fa9cd31cbd47067c21f6654abfc13f318061cdaacc120c4090b213cec

SHA512
e8d6422a155fa91755ea1fa258d2d61ee030429c13c849cded88575f99671cf79480a85e07ae79ecd4e0cdb97b15b5bf1f04e4bf32b383d1b53be762b024fe9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8584f6d34103aa99d3d9166b9fba91e5

SHA1
c68f22441a969eae8a76493589c6e66f63fe5589

SHA256
df5761a1d2271cbc34e5000248642af10a2399f7a146a0c20464a79d58460d7a

SHA512
aeaf586b862d00d0601c6842005a938b5658b2beefbc52d424ebaf80e7348aa519578f6922a996089005ad6406d2ed26e1e5d649920811864cbaae5bf2b3e6f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
eac01bf47440a87fe04306ee2399aa2a

SHA1
2ae2d9cb9f1d24f5a0e8b5a54896ca76c15f501c

SHA256
1d41839d54049cb7bc18b49cb56e67cfe8d77ed96f67675af10647c3eaf094d5

SHA512
aacaca7b0ad1a5d6b43f7f0609bb2a03179733de6763f82c8016d37674f4f853c51321a8303cb0665dea0116f84e3229b5989cc0b0da8a1c382490832b175816

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
1da5ef407e5c295b14e813605121dc5b

SHA1
3000926b3d927d94e620a3d042d9765c0f3b58c3

SHA256
383ec0bfde10ccc9435e2519d3251ceed561bfc7446f106bca69dd99a6a7d3db

SHA512
66a8accbb78bf8f770e98e0e882ab547bce754e4a444b708260800a3fa57bc4f0391f1985ceb864990157521a4fea98f2dfb8856398d2ae0a7ec52141fe760d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
4ff63b6aa450f81c3877f4bc4460f1d1

SHA1
7ca8e4b42348f0c649ccbe787d859ff84014e8cc

SHA256
7c642087fe269628b12931a541bd6f5a0c3ff75109ae04b582eacbdb22a50485

SHA512
685b4320ec24a84b371edc3f0501b402b03e2c34c56f44fea719b327011a7dbbdcd28aafe8135a7d6290d0ddfab23387ec4e67e52cc901970112fa282caf067c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
38e723a06eb71ed2017f479b76d9f66f

SHA1
a536ba390e85ab08070fbd795d5c7552af74270a

SHA256
270114642a2d25e1ff28eb82f6dc703f9cd26fc71e50d57a8b0bcf4763f77c4c

SHA512
c9889583be5ced7d720b363031aead6a5e87f3ea5ba651cefb6ec47c2f964d5e01904d434fc1f2d816ef7310b7965bf0152fd149074e916bcdd5b20cd10d34d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
397d7a713f9437e3e27027f8b93fc678

SHA1
04728eacbb8659441e178d13bd73b12459efef05

SHA256
11f01ea54875fe0b9b1e2b82f9eb8855ace812300c56242419354943b6ca60a6

SHA512
2a7ff87f951f74318965800d67ffd8aa46e4ac79b5eb53c19fd058fb3a0dbcbe063af7f0a8f4a549ce028bab9b58b91a5601b372e551ae28a7224531fcb8dff7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9534e8a5bd45424cfc62860b8e1bc5fd

SHA1
6494e8abac22b185c3bbc22793ad2d8a9fc38135

SHA256
4672da46aecae8a291d3188837f69eebee2f87a481e369ec8b5da73df5b205cc

SHA512
09a7ab922c3bc343432a2d2fe055eab5ab2ada6264f119adbf5d75bbe4900e49eb1b23a75b42aca1124379d02619845b8af04427ebc71ac255a5d3bec2467543

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a437d0bc-222f-4ad1-ace5-348361a067bb.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e363d50ffe1929161eab5f28d3efa58b

SHA1
2ef7f66080e45e8ca04235a22ceb52a637db8fd6

SHA256
536d878ef78d2cb37049d2493f7d3991d3e87dff1e6b416814e1559604d3670b

SHA512
95988bdafd15378c4666ec918173cd9a2450772b5b7490154c7389cd35fc16f98be0593671049434d13d086bf5c9ab01feb0452a10f22c459a1b4a560fc1a531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
46632a371ab439eec1ef11ac9ed554f2

SHA1
914766e1aa9d1d802a1ccf0bd2de17e6a67bc747

SHA256
e3b37b639a6502a1f052a21fb1a8956c609d5109a0f84b601a21a0b469c6010a

SHA512
e9cf8f12bae0c868705cc9067a94117db057c26eafe1706e1bc9dd4e385b044c6b7248a4e475dad60ab23517491a21307bbd00004e529fee3f75b6f937d219a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
57937fc36d6fe806b1080255ed240ba2

SHA1
f81c0271d99629140725ec039b8599e07c8703df

SHA256
8ff4d49c15810653682d4e3ab0e15f0b627ec59d76c5e117ea634e1ac8ea4434

SHA512
38367fd913f2da3fe58564fcf3885aac2186738715a3825e88edc749d3b1d6108de4c09f4100d4ef8e91cd49fce80bcbf3871c5676843f59a810daae34611267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4b106b9bbcefce6c867a16c81ddcc2cf

SHA1
0fb7e8effb9099fe345a860b41e282816349b0c1

SHA256
fd9da0563c6c972c2a48dc8d969b6aeefd6bc4bf02a9884c9bd283d028af0fd9

SHA512
6d839e06e6850283969e2005586bd97ee1619601a95194ab9593de1be3cbe23e8630412f9160cc760646a60e29b2f96323d02ca72acf1f2ac14533b6980a01df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578424.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
a17d4712cdd884b2d6a128b909b4ffcc

SHA1
8876f7c0f8c93301b086e9466ffa6e9926331284

SHA256
dda25a6bbc091635c60d0112ea4266ebf3c98517ca0bbeeb63f85e057591b5a0

SHA512
1eae4554bf7a58b1fb1ec0a53467e97b14a30f6024601339fa4e65058fbd5e5184d689740f6e86975aa165a547aaf5f7cf52df8fb0af42102f458c0ca2c23b14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
43ea62b9abe88a10a3c8c6af0f74e3bc

SHA1
f5a4406597756d42bdd13182b937d6a3bad30103

SHA256
c39a1bd10bd35f0c91eefc4d299fd9cb12ffaa30c6c488c72633b87590f08329

SHA512
186482ccbeb54e5a6685360d908225fd3f223813ab513ddc6fe7d2caafb3746794ff5e11c422bcde59a5f5b5e4daf7b2d3f28bc64a480fe27e46cb89323848d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
1486b4724b3cee7debfae34c3fdba968

SHA1
e8a9295617fed86a79ee3d145ca51eebbde3feb7

SHA256
05dda7e2a79fa722bd14206dc6e2e15960f2278c120099119d6b7d4be97d6f58

SHA512
907a7336533b7225d77a40e02718a0890be250ccad474d9919ef746b3dccc9354075f1043e8e71dd5aa06ee194f65b3c47cc6a608a0dc2d5c8c2536f52421a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
1bf4cff69dce7bb0670cf72eabab3bb3

SHA1
a4af9e2d54e09728bef90b48b5cb4bbe7594c462

SHA256
309f8be8001a7f8f73ab4ffc2d7315ff7d95111ba21fd73513eb48e80f6e2629

SHA512
875942ee8fde6bd43970be090180da0e49603cb77e8e7bd7ffb9b9a1cd8cbaee0dd077fbf100e777565478f8e7f6612a8f05c3c722646091152178cdb34c1714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
127de835c6f1665dd107cc87f1d8c6ee

SHA1
e8fe539f0dcbe6a9a14fbcaaab1ee96b3328bf3c

SHA256
65c6e5852db6e031b8c34f6251609922d9fe0380be54148b47fde88adacef25a

SHA512
5e0d10cce962b70e595bfbd8cb124de55c3a597c71c3e3f4268ebdcf3b053d2e1c85d859267053b64e7838d149e4bb79e28f4ea6603bc7a3da2f66f02e8f27ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
61f3fd414e491a5691cc2506a9e382c1

SHA1
2503ca917bec85235177b644b22a2f85878ebc41

SHA256
151483e464c2d7f7df81861e917c3efdca7d4bf1db1dff92068dc37ac0f52d6f

SHA512
f783ed5c6f49ed709bad9dc9bfd2c3466e369abd722407c3dd53c9ec8bc681cbb77986d7837abf9d635ae6b21d2f23a3b51d06d65e5a823a2d5eb7eb706ca620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f992.TMP
Filesize
88KB

MD5
af552c2614ca3e672c5cfc2ed58fe750

SHA1
7f6bf6252f4907033b2670b2ab0d48612f666f9d

SHA256
15431e20def644a0a42be83cc0674682481ee33467dba95f73f7474d8230dd0f

SHA512
a8672d0fd0fe19f564d51bece4f089c5d4805a02f915ac2251a77c937a51d5092f211d21f7b5cef1d0624d430d1df0ed946ad8fafeeeb070e6bd04c49313e42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ea742bcfa135cafefbc9f5acb6291cb1

SHA1
578752a93eb0b17c477f58ad25357059c3a8ce43

SHA256
97011b415f13f440f3409e1fcb57c3284b399c95336ff66d6170ea4d56c84ace

SHA512
e824082d142845616bdd6b113a93a40082c7be088bd630936f45cb0669182d75a4f31f931d70d1dbbd6da195986daa4400232b69aa4fcea1b03b773641fe78ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
1869087f865f38058916f4b8348b87de

SHA1
f0644bdf945f29a6752b7721e435ffc336e438ef

SHA256
a6f51eee03ef1d562deba76c22158ab4fa4f12a1a3a9484183af73fa3ea3cdb6

SHA512
7a63a82aad1a1eb7806149c06049791ba031a4b3fedb21376b3f1d9ddf957b68ca237fe001bc3c7a4497ec232df2afca8824c067f38136667c442646e8967e58

Download Submit
C:\Users\Admin\AppData\Roaming\df2de5bac8648821.bin
Filesize
12KB

MD5
1a3b76e83123d4890c8f8a15457939b1

SHA1
a8b349ad17ede03be00520a645f3728e2c09edc7

SHA256
c4bf25e0cf85019e1fa3ef3ca86a6a9f4669ca0634221bde2225fed2529d746a

SHA512
504c7cf2ac55b85035e3c344cc41ba47f2154e5cab8651450b1bdc09473c70f88cc42ddaf36c2bd6a0af6c502ea9b6f15333340e057fd57ceabad262e7832e00

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
eb637aa9469d8cbf72732d42ab8877a4

SHA1
2f41fd8619f50a0614044de0f88665d8d7b47dce

SHA256
0d3cdb0a5b04557cfaf13d1484707bbb5a7b6757fda7c948336ded9ba0affeb7

SHA512
62cc28c9932ccfae6b302c952bd03d443ee927e7fcb508eac5d52be962c9b80fda8bb9c74935ccd04d3b77ba05d2f4379efc6c25d5d4091fed178b148c00f291

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
18a7e881510ecdbba2e29c473a588242

SHA1
93227d8e1b0db4a1dfc99c2480b572ea6c06f65a

SHA256
9e74acd178f42999446cb51361bd7ada8fc55ab8400b5c796bc13aedc655b64c

SHA512
e1c92ddb3eb251df3a325b5e4795209d78e0df3277e9a607fb4f4f339dd7755c2125862f74db2320d7a5ac6cc11d0b3806e07fbc5783f12627c370eb05e67ef3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4697dc905b18e67e2abeaa077055daf6

SHA1
34db033e4596e3a798071397ea64c24c46fa0d7e

SHA256
d83a24aa97e307fc80ea6f6416ee9602cc4ae51fdfc0e75d8e71d0c4ea81127f

SHA512
eac4452c2ddc6ab4870b23e6c3ab9a88290ff69702358a0706ec42f55af23bfb8286d322d414f6963cb726ac10c4ec3bee6009c36222ff233ed8162cc02ed9b5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
171c36ebcd3b2204c4dcb6642353548b

SHA1
67f76898afd2035fa423c365af0ff7870f72a393

SHA256
7e574c6301998d6204023f040811c4daaf4a5530486bf04f1798783bf331d798

SHA512
7dae7e7382b01688c0da5dfc247c32c1015a697b9fe57aae75ddebbae8001e71965dd0a2a6afc1d03df1f3fd149a6dc6faf66e77be37fb9c4b10ffa1d56bcf43

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7792f03c7bb1ab8625b800f2abf9456e

SHA1
aa0bb4438bbabefac592ccfa4f4928ad349cc864

SHA256
17cd27dd236a90f606bb33847414394973dd2e3338dfce1bf68c0eb1843cbcd5

SHA512
1e1e5c56027f602c2ee912f8f56209d1e34ffe868109275b394199b870f05002d6e2b91c1539164917eb5c76592052b22002c55877e3abf5dfc03a1f996e1d9e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e5750533efd97f465746b65b43aa4ae3

SHA1
e471e92079091fa2704859268aba4677c3432209

SHA256
c470e3603cfcd9ce78081ec35bef4d3894e4cc023e598af2ce90369abcca5315

SHA512
111b7dad88f30510faccd39f50086e00a91710aaf43a703f5fc809cb576efd00fb3fff272f1b112b991aefe47cf01fb2431930a7ed3e1b26690e8c457bbbcfef

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
86d304792c60878976decfa9775b1211

SHA1
a5d0ad75c7125b9ad4ef9fc3753c984356950af5

SHA256
6d7160738c643ebda413be56863cd8e80b34d161899072c6d899ae55fbb29b24

SHA512
1d65ae3cae307b532f9c98b6820d370b786b321d203480f295a894d24f8f732d6278fbb0480ca7eb5d4342217c312fefd96b93e8016f2d6b597ab52534b4cb18

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7d150f1e2128443a0b2c8c213d03892e

SHA1
8d2b5129e14b0951cfa6d343cd95db9481524e31

SHA256
1bb8495a232078ec9aa4a265b7b6cbdb68138adc77d1dec39beb385e8b1f9bfc

SHA512
3d56ef974073af194ba6286f23e6c50e86b5beb9b35e5617e5d3aba89e43895d8d4938dcf164634d41d271ce56b698538bb7bf318bacf6e06938173e033d6b9b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7d2899e26b4a5b70036b7b4b2562e0ce

SHA1
0046cb35c607bf5995c02b4eaff209951942ee1f

SHA256
7d16969e80675b8d17bc8ced5fd4b47021562a3c2ffb84495d8108aeee259db3

SHA512
10c2b9b238405f17d49d96979a4b4b3a32612f7ebc0f15494d761540ca3310d1d11e60de1adf370154786c24617942a458166a5bd887624138e996ccfcd1db83

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
143d0598ba35f8b645dee2bf6f87f479

SHA1
619f8af0179e25e57da2c25b50481befe200dd89

SHA256
76c462720fb7fb13b55acbed39f0af9db1bfc24d7869aea0eb6cd9be14062616

SHA512
1fcab6548ef9193eb09cc7780ed51a9da460b7609c45df9d92503232ee136df724a23e480174116ec1ecee4ecdb79576006fbe640ed3c29f47b3bedc27631260

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
8e6ca6319399050daaa886f614720a5b

SHA1
af52157e6cda85a8948b488369c33d639add5b23

SHA256
74eb867ab736fdb935fd14bc0c52f5cfda1cad0996678d7564053089e358cde8

SHA512
fc24f33f088ed17539a7960611a87e4bfbcbdfefbbe61abe2be4d976c389ff2ac4dfc2ec663d5d0e705a52cb24db1e7c7b616beaac61d167475f6e0fb880deb5

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f9813ee4425205ed8ad859e1be9b48da

SHA1
9e001a13bcfd7deada15f7cd49396a61d996109d

SHA256
99a7c50babaa0bc3a4bfd67f81df6e94c2111ef797f7cc0a248a9d944828c67b

SHA512
ec3b0856011cd6f7cf9aac6ffea299d612c3da201a21ef94c3c57990e4dcb829d51132b27df0e63480085641a31b593441cd40fe0d4c2ad616cdde07537a1b69

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
51cd0c46d716f4fd1680a8b25427bcd2

SHA1
65be357075ad37954d4ea0c953acd0c8328b6566

SHA256
2e6656208b266415b88176e348781407ccd2f83186c707f00161fa8d7ad8a571

SHA512
64db4d29f3bfb4237bf33fe7fd04810dd1886f4b88e3f4a50a1104e51c88d66d52b6296422dcd5fdbc61c2965818ccd40e6d4686af49eed120638dc955ef30c9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
b1493c27fd82e4f22d512eb182119095

SHA1
07ed70375bc46a471ed661a1179f9d4dc293fc49

SHA256
422c723d91df56eedac7627393f2f97a249599390d9e96bf1c2ca2c14568545e

SHA512
7cfbeace6e588fc5d5a55d42b56c0a8a2737916b9457971f42ea8d59ef5af525225ca86f6ea436df5697d00d34d4e7db8ddfaea5a92f3c047bf435e68d4b3312

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
3c6f2cd5658365fbf6721e23c906b3db

SHA1
a6eeb60ee14d41c0700c1b537871f41e3d3942c4

SHA256
56ffd73de4c71681237b5156ff57329ea12f55df10e84e900a5e07b5c2241d0d

SHA512
21324332879f52970517a1a8d85c8f85e70fc9d0cb8702ab76bc9f98347ec8de02017291bb7b581f2f2f0d85f2d255c13f19bff87d366afe1724de16e806fc00

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
274293123085dc8c29eb3b382b288e21

SHA1
bc366cfbe9fb1a45d4e18e16edfe312e785ea5c2

SHA256
33333536895d944ed3f8311165f94de30ea80ad7cd6b1c05eca91fde2adfc128

SHA512
80edacb017c116c78297ed1c27a4efe762943dccefc546a0747c3e601aa14981ae1770118d2d60c08fa0b358728b519950576d7ef8835fb9ee280574483c9a19

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c4907f5f9603d8e438564e640b97b613

SHA1
6b5bd45bcc6f24960e101b5b572ea19ae3104687

SHA256
ce2f1c54237dee4abe6d6db2785ad9078876c433851111e33993de3b7e934b91

SHA512
172830eff09570e3fcd8b97f7588d47bb83e6a19e14288e88099f14c6e03c69a4d97b5a9dd4470af1d348b874425ef30e28eab96eb3052df7fcce42c64ca67fe

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
aee6d80217d69214e61b5f2cbb3cde74

SHA1
d1702b8cf70c10e5971b01e6056072470ec88e8e

SHA256
2837fe2c22c88c0f11d352553368a544b8a0496316c16d6503cdd2513cc688b9

SHA512
46d29c0eca70a99694217b34e8a1f9dd2420572e7b8cb167a92f1ee015ca594cf79d0957eef8e9851a45a2cb608c08a0dd660ff053435cc37fab2c88e6b7ea28

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
21071d5ed0e04197bf4c898ec76c62c3

SHA1
8a7bc3a184a3c6d60789aa902f1f57dbc7470293

SHA256
9ed5b8d5fa9e911d0cb896ffdc0417a6059af72b86a6e264092453fabadfbc65

SHA512
dd97aa0babbbab22897e1e23a4b1c23c7bd8ec3e9d4f794e38ec98cb4d8c2dc7797a5feca97b086de8d254e45c705281c61e136a3f7b056e37d8c171dd8f980c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
5b8e97c06eba9a1e40b98dfb2a7d1c39

SHA1
1d11e4d2edbdbb0a3d5c304ce88e360a29873080

SHA256
f017d84abf26ae5c3e3288037d91223617b78fa9e2ca29775f0cc917b497a5af

SHA512
f2a10fa39a28ef2c546769cab8ef12e79ff6de68480e6d029d8238821ec2b839edda942c5e611816f25e6d0209b5209641e7b9f5df61987a559d7276c11833a9

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
59a171a2b7b69be6b25dc91414c87b94

SHA1
fae6d75f4b8917058ac80c56e88de804ce3e544c

SHA256
9a5561452d4fe91c60b09ec0ee2539bca5b3dd41f0047207144f251c137294c7

SHA512
470d0a8f0d41cc318bdf542ad72d0493e481b31952caf858125815fc8b884944723daa6f5e47b81b6257c0950741d13d11259ebe406c44f5cfa08f80ce4753a1

Download Submit
\??\pipe\crashpad_4288_AIQKYDADSCDVLEUG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-218-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/904-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/904-684-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1184-687-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1184-221-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1336-212-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2060-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2160-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2340-677-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2340-12-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2340-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2340-21-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2404-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2404-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-685-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2424-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2444-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2552-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2552-27-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2552-9-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2552-0-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2552-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3048-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3484-202-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3484-56-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3484-50-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3484-373-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3660-101-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3660-205-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3684-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3744-88-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3744-94-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3744-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3984-425-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4180-200-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4180-37-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4184-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4492-686-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4492-220-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4548-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4976-81-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4976-77-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4976-71-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4976-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5012-219-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5628-495-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5628-438-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-448-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-688-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-484-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-462-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-464-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-693-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download