26d2bbc6149ad2f1980ede595224dbd2ee276c01d80699279c2408e40ee975dd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
Size

5.5MB
MD5

26f2cbdda1169dd73434695cea478fd5
SHA1

6c8ac858152dc493f7f08498dd15b0a364785c31
SHA256

26d2bbc6149ad2f1980ede595224dbd2ee276c01d80699279c2408e40ee975dd
SHA512

8f2ee98a729af40dd0be7356950d104e16e7d427f7ca2e5433b0adb92294fceb72d9c04d00d8e37d747a7d109efc8bcfc2cc2b36fcb1c59ce9ed9e8178b3d3d8
SSDEEP

49152:VEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfk:JAI5pAdVJn9tbnR1VgBVmPTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2724	alg.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
4512	fxssvc.exe
4552	elevation_service.exe
752	elevation_service.exe
4988	maintenanceservice.exe
4884	msdtc.exe
2900	OSE.EXE
3620	PerceptionSimulationService.exe
4932	perfhost.exe
1576	locator.exe
2948	SensorDataService.exe
4476	snmptrap.exe
3716	spectrum.exe
4396	ssh-agent.exe
3352	TieringEngineService.exe
60	AgentService.exe
1080	vds.exe
2412	vssvc.exe
1276	wbengine.exe
4296	WmiApSrv.exe
2176	SearchIndexer.exe
5460	chrmstp.exe
5684	chrmstp.exe
5800	chrmstp.exe
5876	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exealg.exe2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\27dd3596c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d776f4202aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000179f394102aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007abe534102aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008944a44302aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035974c4102aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037d9714202aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610463644960792"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088ae024102aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ae4824302aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059a8874302aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

chrome.exe2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exechrome.exe

pid	process
4528	chrome.exe
4528	chrome.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
4528	chrome.exe
4528	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4528 chrome.exe
4528 chrome.exe
4528 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2484	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
Token: SeTakeOwnershipPrivilege	4004	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
Token: SeAuditPrivilege	4512	fxssvc.exe
Token: SeRestorePrivilege	3352	TieringEngineService.exe
Token: SeManageVolumePrivilege	3352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	60	AgentService.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeBackupPrivilege	1276	wbengine.exe
Token: SeRestorePrivilege	1276	wbengine.exe
Token: SeSecurityPrivilege	1276	wbengine.exe
Token: 33	2176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2176	SearchIndexer.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4528 chrome.exe
4528 chrome.exe
4528 chrome.exe
5800 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exechrome.exe

description	pid	process	target process
PID 2484 wrote to memory of 4004	2484	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
PID 2484 wrote to memory of 4004	2484	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
PID 2484 wrote to memory of 4528	2484	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe	chrome.exe
PID 2484 wrote to memory of 4528	2484	2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe	chrome.exe
PID 4528 wrote to memory of 1992	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 1992	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 4028	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 2076	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 2076	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe
PID 4528 wrote to memory of 3560	4528	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_26f2cbdda1169dd73434695cea478fd5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2a4,0x2dc,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0854ab58,0x7ffa0854ab68,0x7ffa0854ab78
3⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:2
3⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:1
3⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:1
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:1
3⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5460

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:8
3⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 --field-trial-handle=1920,i,15483584739519107130,16536662933943585667,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4884

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5220

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a26b36a3ab41e1598f7c823fd9beff20

SHA1
31581c43b05b1a2191a0b2dfd36556bb6a43947b

SHA256
018b6a338143325687ca5230ef8e72bbb933721c2a9fa9e418f46c585798838c

SHA512
50558ae4360b217609f2c5f92fa3be3f0d489886247ba74e32eb26f2913100abfe9535b90f77ca78a6b038b1b7fd20a01dc6ea05316c5bf3a6ff6b03cde45908

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
5a2e38c13a066fe22ec7a023e1b82063

SHA1
3d61aaddecf2979e048e91fa6ff9992dd600450b

SHA256
fe4ff4348e3f14656a9ef00878ce44205f1f9268d56b3a738d13a2e78d59d59d

SHA512
14023e44a1502bb45e41491fadcf989e0855e3a30fd5bbf4b647570478b97c8e616334a3ecc7b6a300c51b904db9593096028b31a2040522a82c9ecdf7ea1606

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
2c6be7cfd576b0c33dc82b15795a4bbe

SHA1
9169b4bbc3803ec03c27815447ade3480472a724

SHA256
79a1087d17a583699872124ec1d901f11a3bf82972441b5f3b76cf5e779b6b55

SHA512
0232672b73aeb1342b64aaf9c71395af413f5a2a0a961d510919f61e630d764e1c03881399b350bdb2706bbdc31897292b4d6e00f9a2f2f8baed477f8be00f47

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ad5c3e662486814140e119d1bde318c4

SHA1
1a433d85cbba1d7d1dc3e1bc19abe54c87f6ff43

SHA256
f55d6d6228f749aa538fef681ad1b988ca34fc2836a1b9519325243743ca0c0a

SHA512
15a3bfc54c26ef081ceb32bbbbc7b4e8058513b0c7da4c87e46964024f8793991283f49fd42c4a9fd42cbc0a1c20ffaf942a9d740a5be14343fb4ec3357be773

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
289841ecd7fff1dd94010d87b76d8c38

SHA1
7ca08375c2464e6ce1289f350bda4ac6e8a43435

SHA256
2c85e220958001c38b9b8403b26f3ab3cdd9387750bfeb5b391b8430289461f4

SHA512
6fd1feecce38cd047b353ada576c290b53277a4d26f44c73dd768c4c639cce3af2dc9c31a03f9d66739d3206f4f4971dc61aa597ada3217de2184f02b0ba9221

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
fd50134c51408b8ed264394d909e78d9

SHA1
36fa10c812650e97d3309c0b0c92d669a1be0878

SHA256
10a1e8e40a57ed7da3f5efc14b190d5c53ca6dde5248c9a11ba919cff44bcc8b

SHA512
9a72a599cfe1cd223ce84f6e35148e66074018a6146ee182cfc0cc96a8e5c55b5767835504612b728eed7af83bba3cbcc67cfd59ab09cf03fe345795ef164676

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b0c2fdc826f00bdd63b05d421b9c948c

SHA1
e91ef42e51c313e9b776117c7feb271b42943787

SHA256
81778159a0bfee2a74f556c2de96480c36b588f655567f58cd02603999de3251

SHA512
cf207d78b17fc87da88dac4c8af95eab92b3d61abcd504a503f5eaea7bff49231d02ed935893c0eae0604f6de43becb216c6d110e45d0f012704d192d44d06dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0f664cf35ea606e4068b9f897fe19749

SHA1
efe9d7d6334ff7157a627be123e1aa2ec4c650ff

SHA256
a3c4d7f97f24c9124206c2ebf219f7415b706203c2e66aee60456380abe55a44

SHA512
c2fe35ef8958c1d88fc716f28d36b76472f7752e73ab60cb10cfdb6afbd882a72e5b64434764923bdd5ea754d39d0dd05fb1d60f8a1030e1c0160498641cb925

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
357bcdc0071e8265292df8c5447f3bfb

SHA1
58b37042985887a80f58f0e457e1359b6b1ab62d

SHA256
f87ed3f52dcb99984d27df25f6729ffaaf3296379ce31284efcddaed2b31730b

SHA512
8625443f38cc1a3e6a56ae673f5daf255ae679524556c8deb3257fd12ddeb8f3341ccc94c22a5a5b2fc69829855fe2956e9996d498b193b10af99b8d50af6956

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
14008bd7a8d80184d889dbeac7d714db

SHA1
29a2b70cbac3c45aa54a39382629ebb400d12003

SHA256
0bcb3bd388422201557345f18e63549d772f29c200beae0190477921c4e8eed8

SHA512
b059bc35ef49d694d7c772e339453546668a9cd86761c2769cc3dfc2355c9e30798c2e3684b15c712d6968851e66c4c7683eb4d2412a3f885db207f099c83140

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
fae5eb9cd8f305ec609d572ae766f0c2

SHA1
72d89aaf0f68a9c72ff3c149b04e6397e2d2e152

SHA256
c92e00050fc2e6cb1816385a0cb9b6aa574252c973670bb84a46dcd14c032d7d

SHA512
d900a8e6e73a9840b5f4b65902b295247afe06aa2f6aec58fe937c560e36c32376e6d2f524e2486c94ac45a41fe1f86ea65a6a10c25f5e50b612a338b86e5339

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ed76a19e589ccb51db35b1b412c84c54

SHA1
c0ceca443bc8e2112822fd8699ab5aad9cef52b0

SHA256
4996c33f92087fdf7f63e64f865f619a2622d08381b0db625c522a9ddfed8e0c

SHA512
3b208abaec60f9810f61ba48b405410aca5a883ac6b12d93090b098509722a938373698bb28c1025e966b14451d3557ee434da4bf7a0ee618a06d58b2e4755c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
cf6fae4edfa021aa720bc820229b31d3

SHA1
8bd7f4d026059b4e7d29aca26f52a36fcc3513ba

SHA256
97192e6fbff9e4b079fe4ce0141c45affc6d6a89101629366378f1680463af07

SHA512
e96715e8a7df14148b6ef02e30fe76c8d9dbcd7fda33582db3399cb1c1ea30fc3481aa55b9334ca65399fbc4c4a2691aa0baba3d5536e209a713116f80193206

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ce3da5f6-63cd-4477-8c6e-9ae0b57d1230.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ba23faf92dcc94deb043f7f801f2a753

SHA1
94b4dc92408c90509126e0409b815296228d7e9c

SHA256
9e5868baa9a3e91d661118bbbe17d9c86708581bff59f30f5a8d30dbdb87425c

SHA512
3ff43133d6d246f6c083755f803bb823762f2bc365e99c93167d527b2b5aa5812d9a5981f617d19ae657663e401ed92a9f3ef07bfd2a01e7ffd627765041d84d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
01e3064909e20deabd74ce26c7ebfc8d

SHA1
44984fbcc6bc1253e784453ff9814edec0021c6d

SHA256
bbbf933efb00a20a56d8630ed93ca0300ae78d7dc1c6b954a7f7f4e7d71e0a61

SHA512
c03be6723381e2f950f5c29f8ea9bbeb98fb4844127a7acca75889c57edd762cebe2ffba6f412d05527addc16577b569a8dcf7524af5a1df0db49418bb278343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
352B

MD5
c32eadc503159be8124ab8af464c7f7a

SHA1
f8684426182497332f8a44a85172185017ace317

SHA256
cd5351dd6b9b6cf128883ab1cab3b8b64a92c877a63ca9ce9c592399d5f8c586

SHA512
f9f5fc6bce6830c9f420b332838ef0f08cdb915fc4c98f6564e98150d49cbb7c71351a59ad40c1066586cf3622ea2ca573b17d5974b4ec350a54425d32c87b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2e29c0b5a05621bda35335560f9a7707

SHA1
b08a0ad37fe5c300b3f0b322f5116f958ea5685b

SHA256
9cb4c58a6319b81c125b72fe6cf9bffe6f86e7c56602db9bb9ed480abdc08134

SHA512
30acaa7250014b097ccd89606d796f082f4df1e0b2a00d765c753abf35a9909c6fb9e41507bd110bf099c09d1bfccf24fbb28685afae5268a12f1597392c4a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578491.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
4ddc892f6aa74f7fc83782ce050fbf07

SHA1
61f33d085ae474db13c235e736cc63808e814e6a

SHA256
256932b2f01b3fa20ab46a8ee47fb2eb64c32c2f4d44db597f5b629463be218f

SHA512
248d8ae2b1f51e66c430adcc3e3fcf8766967aa0a6d0001686907df8b142c471976f4d98575f6c009591b32fab5cbb00d3b9caffa79c0f77d309ee6c97f10178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
767e8ead85d6a0ada58bf5f69e92b8a4

SHA1
e19858978742c37b652c55a2463f45b9a9f0ced2

SHA256
7fa6ba1e12c0eabc177772361442f0e61d5df83e2f22bc7d45869088e23c604e

SHA512
956eafcb80f975deb2d29bb4027a7390c2f2287c701cf23cf8c4ba4332deda5f17803f77c60cefff053eebe2939ea15accb597280d7d7aae60fabee601332348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
dbf6f3e7561c5db7512411aea3841b2a

SHA1
e03584a535ecc095aff3e8f0df6c632b807887a2

SHA256
492760c3637b897ac1e781559e16e8573500a87d7f4ea224d28d6f81f3cfb798

SHA512
1d1bf7203d1b1c8abffdb38cf3e828553944392011de2a941e92d8fea3513227dce2a144fb78981f45028c75f5b9411be18fffc61341cbb9dc55c41f7adf6d1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
08bb556e2c59d5dce7f3c770240bca4a

SHA1
7051b2aac4b157300a6e22fa78ee2ed631436fcc

SHA256
b10d621c0481df48588d29f04700fcd5ad62495ef6e0d190e3cc65c0189d3a77

SHA512
3f62156a3038b1f5a5dcfd8da93e4d42ee849255ae40addcfe186248dd8380285913a11d235e777742a21c821b1457d12b2c08c639b243f7ef53ea5b3ea1ba8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
fa3cbe4a9a56738906bcd9ad723829a1

SHA1
14efdcd93e7bc2aa98bd24bd4fd3e7948fb4654c

SHA256
0e4afa084751ca03f389ebde13742b90db6bf9fa1a3a130e8fc1c115f0eb98f0

SHA512
ac13ee2557ba3a190323e05174078845cc11dc06242e99f2cb00888ae01aa9d9e60dd7d2f516bf15d8b0938e93a5d18ad57ee434654efc0e7a692e50b8676a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
9a67b07979a5898022e95066e279a954

SHA1
45b1342d1e987eea3f0adc13fb1608bf4afa5e66

SHA256
aeec484a04aecb64bb04c2a5f91a7961208f4c22e08b5331dc22943604b3b90e

SHA512
3c79a2d900c8af94a26dc62ed8c84a0f175a675b641325d2de62c03ad4a8a76e3ea69d37f3e2a89229518b253da8509235d419e87dc31da11f9b49cba9915bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f9e1.TMP
Filesize
88KB

MD5
a53a31bc5efddaba059893c7ef5ab9ec

SHA1
9fce2d068f0ae07e9c622b893732cd4c667c0125

SHA256
c6d2e577b370088c55d3727e8bc2b6d3697ca933656745d9014f45371683e482

SHA512
f06776e7b345cc489990e989d13360c6e902b8bfbba963818ac751f7255b2c266cfeb79980ac5f335b2771c7fc284eb5e67834100127ece3241a98d9bd5873f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
b165d546a2e64d328618c45bbdd53ee2

SHA1
4c6b67a6f9ab4e437a066308f13c8b61a2484096

SHA256
48f620090966fa91ba8ba3b13aefbdac17a7c2e71c1cec5e4cb63ec7e624762f

SHA512
04711789a7d3009f3ef20dd4bc2274a3ba31fa2f5c862dc55391057accdd0e5475329d922fa72f3cd1be58382e59b56afe48a3c5837e70a83ca94a9165f96d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
a7a5537d7a5850a18f8057d025edc58d

SHA1
55b4771bcc6d033ae5c601b9349bcd08de1027f4

SHA256
d917e92080dcb706bd482638e7895b9e00e5a44606a9d9dbf3eabb481cfb7eb3

SHA512
336f5b208ad2bf87e64c4e0e6c38dd2e00daee141c4345db45f2345dafe7660e8b8a1cee58c94df908bc0445f22adf23a298e65fce4e78dee48ffacaa6e63e1f

Download Submit
C:\Users\Admin\AppData\Roaming\27dd3596c8648821.bin
Filesize
12KB

MD5
a353055a2de383e1334833519a69b227

SHA1
265face8c150116b822e451da1c359e0a67b1052

SHA256
5df99854f3457a68bf57272bfadcd3f7a0783e3fbcb12ee63b3c2ba5e20c7917

SHA512
24777716f790b791511e33305991793577c4e4fa6a5c8a9cd6025813d6d0a60a5ece0b3fc127ff6a012acc1e4e90bc4e3bd5d572d64c56e63914607449cdcabe

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e29a5a2a8bf82e158d50c392d864a4fa

SHA1
b850e6724508847dba2ce05a315ae8cbcb3fd52b

SHA256
3492c32fc9a46640577fbc72c8e1d3254d53cee0247cdf56f8a9743bf5d3275d

SHA512
2db88a214b2335d4e8af1399fd2da76ff5d280bc1247bd25d19fc6935efbed103e240cc954001527987a21773bb22d32141f9da29f79a0580004aef9a7aa4afc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7a6de640f076b6ec05aa4933df5c10b1

SHA1
b384a931d496038fcdb7cb84407fc9512b1124a6

SHA256
d9dc8898b5aa653d2d2fbc32c20114310f320e26cfd1b25e654d9a9579d46e7b

SHA512
52bc4217d60ef4240844bc7b2c230f2ddfafa7776b5a0982414b113b4f5b29d2469badef0a7541fef63a9e1251467a0f385db664fa86d52f957084f1703ae2ad

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
69f1871f700dae67dd4628dc7b5a6877

SHA1
99f35dfb171a5c820751267310da21982a7e82e5

SHA256
1afb3b2179a75c9e96b66fb63efd1034d4945fa952ed5dedc3206b506dfc8bec

SHA512
0ca46d5e477ae4215557eee567ee9d6ced7b70e4df468d335863393433bc40ceabdafd1431ec73c35bbe98fbcb5abf6c81b2d68439bb08db5da05ee49b3471bf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
19a39c46a5b7bf1317110adefcd5f6ba

SHA1
018ebf810b91f68c4d1e71f24388ebb95bd2418d

SHA256
72259703518b14efa180aabec17929227052818ba44ac53d04d76da7d3ad2400

SHA512
accbe3ddfe9ce8a815a03426e429a103c69adfa40bab5971a7d7e4ada3335bfc1abbb28cf4230731b0e03c766cddd660416e21a9b5bb98dd0434c210e69db079

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1c86978dffe2fcfc581ed087a2fef7d6

SHA1
ea26adbfec0a4b19f02e7d1ea644b3bad7979637

SHA256
45a96b3f0151e725e4e57f1f4f6ada58d35303482fa4d064d96814ca1a9182b4

SHA512
f501912b452b28c2d0bdcda8ddda0eb30e7474cfa6ce4b4292c52fd5d278efe6b97d18d722945998bcba032652040002d5dc896b8a7f8ae4649e4bb80d198c68

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9a745a0ef712691d7fe9746683c6ab31

SHA1
1519c3b908143af05a053598eedf97fc1f7f5123

SHA256
b2c89d6f2fd5af05c4e226be179640181b812adddfafe66191e8c24587fbeaa4

SHA512
7f880912f50cfe57d4584101aac54709855e430c78096bd65eac8ddc49f0fe636a5c2ddde229ea9e073227801e48f11baa9806125ff257418434e7eb01de341c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
365933e6db0c0f25f0c6858ccd3b17c1

SHA1
00e651f27af17ddab6934caf21741e921ebe3047

SHA256
0b1dc4aa115d0405f57afc4c091083f5006f16d0ce6b1317dd5044d71313c8f8

SHA512
e089b032dd6c2203b9e3e9aaf0666178f76a95daad1c32d14131dbb909233053b83401990b2dae03973027fe6b90bdf5a469fb3a4215ddfd92f63fe1f4c605f7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
aa22dc0f0e27cb8d4c17fde010a8f6a0

SHA1
0f50f80e8095782bae5bce8457d7a32639df169a

SHA256
c2dae7771056aef32c6f74f8339ab0ed8fed51fd0ba8f193939899f0d9877279

SHA512
ddccb3e9ae733dc48ec1c00ad4df3425cf8763868d2c0fa2358ab722bef0fc4a2abb6bacb7c41a795b31712fdafb6ddfb643f8785cd6b3d8fc262252ea3fb184

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cdfdd32c7297c1c928d1f63da0bfff26

SHA1
10b872ec3d397ccbe7e05a0e97dce93dbdbd7f41

SHA256
6a4ce03dbe48cd17de9f3a3739a0b59deb4195bc65a4f0696a513539af871900

SHA512
c705bc88401d286ab8cfb69c6c036823109c4fd1288720c29600cebacddad3de4752d5e1dcf5f2ef81dd47e716b81f14757bf19d0adbdacc67f2007c3ea4a414

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a8008352a635171643610ac3c8c1caff

SHA1
776fbb231ab1b439e876b7b69c34d440dd515438

SHA256
53d8795f2d161e09661b79261e6a49cda4dcd67b80ca5b40afcb2d37d6117e53

SHA512
b55c6eff4d8cdb2eff58ed27ec27456bd4696b255f964eed46295248ee738c5ce57aea331ebbe59c68f6733aceae5507f280c932fb53902092d1f81abd705ce5

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ca10ae832acd565c9059e24f3e7fbecc

SHA1
83c9a8c6a368086da512766c939a3721534aecaa

SHA256
988f08ecaccfe70658367a6582156e205d1e15594b2a5d12e7ff1ffaea747bfc

SHA512
446ba342ac0d582e125170378ee14fedb4647996047cbe719656cce4f81b22739a02e52302baf1f32c8b32444dc53bef623f45ed570a0ce20b1448479f5540d3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
717c902a28477dc1f2f50f7f48ef0234

SHA1
ebe0852b9c1e42a143bdc02fe84d959eb63ff153

SHA256
e6c2fa0d9fe29d5ea7ef596496a2ef0747cce87a50b527bfa65733cb124c5d99

SHA512
3181b50a30d32935a78955cdb7f4f1d3138216649096145479d059f43041d686214e518298ddf97a939d0c544feaf18c87d16702d82baad178ef13acf426ccf9

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
064e43732a62203c9640d0c0614d4e2e

SHA1
d9d7d1e7503c33b196ff84d54a41fb2cb25adfb1

SHA256
7c23f2d3d556a920f861572c980291e1fafce1368b7dd2c3cc713e4576a87180

SHA512
f63d348dd3e3bec315df8f0731b2c179c1a1b9a62ce8ca187b93ddbe6ca4ea061f7cff1b51569c263366e1c44709b22cfccc3585b19a9b05fe2a09160c524c38

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
cce007e407cc53c54d7a21f4d46c824d

SHA1
bba0399657d422b1915a62253010f9586cb8180f

SHA256
a1208ecf96ca7786d5c53bcfff40ac46c8d1cf6bbdde88fa8ec79baf1dfcb29a

SHA512
37d58ab0d22f682518512015cecc0a2ec338f9a72e6ff250a9a4a2142c286c0bd27eaebc324f3e0602343c2029595c3c156dbcbbdeeb7396a32f2210b041087d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
bf3c8b974fd72a27da6276527fb6fb7a

SHA1
ccc3765dcfc277e60471073dacefe9764344673b

SHA256
2d6131e888562b51bd5ec69a22996428ef5ad8214021253286244ec335d22496

SHA512
9a1929cb6da2f4292b15703b9a5b2d632fdb41197b8c1c120f34c195f493bd1f953cdf70ace41c650f6c1c317a13facb6ed4b23af788d9336c1ac0c08eec57ce

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
51927dd8546094ef12a84a0b77f2a14b

SHA1
d825c6faf27e7dd80a172c00883fb074d6e9dbbc

SHA256
770b47275ad99f78c5be8ce9151155a909e6616bab0ab9af643b916e5de74a3d

SHA512
6488cce057a91ca3c90122dc9fd8a5f80e5ba22c8784d24ee4fa4bf51d74e6675ab926c99bcfa435f478fbea53aac98fb05659938e63dc278971033d204fe365

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
53d8ec32f46ff682c8309cf347647a1c

SHA1
4844765913fce03221ef8ff551b4e415ab76341d

SHA256
1359092d16096c5f246440c57a0d49126899a2402fdecf5c450d2cc16d818a2b

SHA512
a3f7a6dafaf3d561ab77c7acfdb98d7303ee48794d20ca2b1644487d1f30cab483100420df2419bc193d8ef68e8c03a84f2c83c49dc771c502b5d0757061be1e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
27e0a65122fdc31da9683682dbb03de8

SHA1
47248ebc81a92da4397df207d15b91db479c3818

SHA256
7d0b559f7ae35489418a086d8eca2d9ea5fca3d60aa35a4903b7e1980b753a56

SHA512
a3b216c44ebfc2912cc991ba18b2f8762fa40c616f347ecfc00faf42a68a41b59b47380f0599455ced2f514cfc916f0b3a6a5c2e197d2a5a153c6ae010a1355f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d3dc3c2d99a67142bac4ee4f9a55d7bd

SHA1
c2e299a0211058f8d169cec8a4d2ec0ed371fddc

SHA256
1eca9ab4712d5060638551558c5d876ee4a668a022be1f27441b63b3632dbe87

SHA512
538090e1fe0f45fc4a977a6bd3eb4f956afc61842e68e5e71ee635719312fd605ce113b22aa16b6d1fe2809e3e3c944a270885ed22e362d508af67bbdd7dc9cd

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
69a4a4e91d615db0610c9d2aad74b073

SHA1
540af7931ffea6cf6125ab378d0417c46311189c

SHA256
8a3b6589609cf02efad798095b965141f86b90cb6ba7c8ba15bbd93c2466bb7c

SHA512
7fd6080a2c4d2c4207cb7c8d8a62a640a7163e8f0569b66fdd5869c8f95e6b41bf6fa8ff7d326016e2c456fd804015dfca6f66685d7d12289c454b95cc34b6d2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
0261a3a02ba97726595291ef2d2f87f9

SHA1
efbf6a8051b344221463249b335925c819a9572c

SHA256
9796ec2a642b4a6ee91b28be0989b15f163f8367835244d385ab761208b7b77f

SHA512
52fd967d81e7e61586823059209cae9960ebd4ab93fd7cfe5efd29b44e27decddb36d4d4b967c54335fae50823297832fe25b6f7bafbf60ee66a57726fc3b5b4

Download Submit
\??\pipe\crashpad_4528_DEEBIPTLGRGVHVAE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/752-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/752-787-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/752-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/752-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1080-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1276-371-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1404-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1404-580-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1404-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1404-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1576-357-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2176-800-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2176-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2412-364-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2484-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2484-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2484-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2484-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2484-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2724-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2724-562-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2724-29-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2724-37-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2900-354-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2948-358-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3352-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3620-355-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3716-360-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4004-18-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/4004-12-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/4004-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4004-513-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4296-372-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4296-799-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4396-361-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4476-359-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4512-57-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4512-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4512-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4512-63-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4512-87-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4552-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4552-469-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4552-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4884-119-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4932-356-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4988-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4988-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5460-614-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-801-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5800-603-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5800-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5876-806-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5876-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download